Moving all analyzers over to new structure.

This is a checkpoint, it works but there's more cleanup to do. TODOs in
src/analyzer/protocols/TODO.

doc/scripts/DocSourcesList.cmake

@@ -17,15 +17,48 @@ rest_target(${psd} base/init-default.bro internal)
 rest_target(${psd} base/init-bare.bro internal)
 
 rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/analyzer.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ayiya/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/backdoor/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/bittorrent/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/conn-size/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dce-rpc/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dhcp/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dns/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/file/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/finger/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ftp/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gnutella/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gtpv1/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/functions.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/icmp/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ident/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/interconn/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/irc/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/login/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/modbus/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ncp/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/netbios-ssn/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ntp/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pia/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pop3/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/rpc/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smb/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smtp/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/socks/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssh/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssl/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/stepping-stone/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/syslog/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/tcp/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/teredo/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/udp/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/zip/events.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro)
-rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/events.bif.bro)
-rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/functions.bif.bro)
-rest_target(${CMAKE_BINARY_DIR}/src base/protocols/ssl/events.bif.bro)
-rest_target(${CMAKE_BINARY_DIR}/src base/protocols/syslog/events.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro)

src/CMakeLists.txt

@@ -133,27 +133,8 @@ set(BINPAC_AUXSRC
 binpac_target(binpac-lib.pac)
 binpac_target(binpac_bro-lib.pac)
 
-binpac_target(ayiya.pac
-    ayiya-protocol.pac ayiya-analyzer.pac)
-binpac_target(bittorrent.pac
-    bittorrent-protocol.pac bittorrent-analyzer.pac)
-binpac_target(dce_rpc.pac
-    dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac)
-binpac_target(dce_rpc_simple.pac
-    dce_rpc-protocol.pac epmapper.pac)
-binpac_target(dhcp.pac
-    dhcp-protocol.pac dhcp-analyzer.pac)
-binpac_target(gtpv1.pac
-    gtpv1-protocol.pac gtpv1-analyzer.pac)
-binpac_target(ncp.pac)
 binpac_target(netflow.pac
     netflow-protocol.pac netflow-analyzer.pac)
-binpac_target(smb.pac
-    smb-protocol.pac smb-pipe.pac smb-mailslot.pac)
-binpac_target(socks.pac
-    socks-protocol.pac socks-analyzer.pac)
-binpac_target(modbus.pac
-    modbus-protocol.pac modbus-analyzer.pac)
 
 ########################################################################
 ## Including subdirectories.
@@ -233,11 +214,7 @@ set(bro_SRCS
     Anon.cc
     ARP.cc
     Attr.cc
-    AYIYA.cc
-    BackDoor.cc
     Base64.cc
-    BitTorrent.cc
-    BitTorrentTracker.cc
     BPF_Program.cc
     BroDoc.cc
     BroDocObj.cc
@@ -247,13 +224,7 @@ set(bro_SRCS
     ChunkedIO.cc
     CompHash.cc
     Conn.cc
-    ConnSizeAnalyzer.cc
-    ContentLine.cc
-    DCE_RPC.cc
     DFA.cc
-    DHCP-binpac.cc
-    DNS.cc
-    DNS_Mgr.cc
     DbgBreakpoint.cc
     DbgHelp.cc
     DbgWatch.cc
@@ -263,45 +234,30 @@ set(bro_SRCS
     Desc.cc
     Dict.cc
     Discard.cc
+    DNS_Mgr.cc
     EquivClass.cc
     Event.cc
     EventHandler.cc
     EventLauncher.cc
     EventRegistry.cc
     Expr.cc
-    FTP.cc
     File.cc
-    FileAnalyzer.cc
-    Finger.cc
     FlowSrc.cc
     Frag.cc
     Frame.cc
     Func.cc
-    Gnutella.cc
-    GTPv1.cc
     Hash.cc
-    ICMP.cc
     ID.cc
-    Ident.cc
     IntSet.cc
-    InterConn.cc
     IOSource.cc
     IP.cc
     IPAddr.cc
-    IRC.cc
     List.cc
     Reporter.cc
-    Login.cc
     MIME.cc
-    Modbus.cc
-    NCP.cc
     NFA.cc
-    NFS.cc
-    NTP.cc
-    NVT.cc
     Net.cc
     NetVar.cc
-    NetbiosSSN.cc
     Obj.cc
     OpaqueVal.cc
     OSFinger.cc
@@ -309,30 +265,20 @@ set(bro_SRCS
     PacketSort.cc
     PersistenceSerializer.cc
     PktSrc.cc
-    PIA.cc
     PolicyFile.cc
-    POP3.cc
-    Portmap.cc
     PrefixTable.cc
     PriorityQueue.cc
     Queue.cc
     RandTest.cc
     RE.cc
-    RPC.cc
     Reassem.cc
     RemoteSerializer.cc
-    Rlogin.cc
-    RSH.cc
     Rule.cc
     RuleAction.cc
     RuleCondition.cc
     RuleMatcher.cc
     ScriptAnaly.cc
     SmithWaterman.cc
-    SMB.cc
-    SMTP.cc
-    SOCKS.cc
-    SSH.cc
     Scope.cc
     SerializationFormat.cc
     SerialObj.cc
@@ -340,23 +286,14 @@ set(bro_SRCS
     Sessions.cc
     StateAccess.cc
     Stats.cc
-    SteppingStone.cc
     Stmt.cc
-    TCP.cc
-    TCP_Endpoint.cc
-    TCP_Reassembler.cc
-    Telnet.cc
-    Teredo.cc
     Timer.cc
     Traverse.cc
     Trigger.cc
     TunnelEncapsulation.cc
     Type.cc
-    UDP.cc
     Val.cc
     Var.cc
-    XDR.cc
-    ZIP.cc
     bsd-getopt-long.c
     bro_inet_ntop.c
     cq.c
@@ -391,8 +328,6 @@ set(bro_SRCS
     plugin/Manager.cc
     plugin/Plugin.cc
 
-    analyzer/protocols/BuiltInAnalyzers.cc
-
     nb_dns.c
     digest.h
 )

src/Conn.cc

@@ -11,7 +11,7 @@
 #include "Sessions.h"
 #include "Reporter.h"
 #include "Timer.h"
-#include "PIA.h"
+#include "analyzer/protocols/pia/PIA.h"
 #include "binpac.h"
 #include "TunnelEncapsulation.h"
 #include "analyzer/Analyzer.h"

src/Func.cc

@@ -38,7 +38,7 @@
 #include "Func.h"
 #include "Frame.h"
 #include "Var.h"
-#include "Login.h"
+#include "analyzer/protocols/login/Login.h"
 #include "Sessions.h"
 #include "RE.h"
 #include "Serializer.h"

src/RuleAction.cc

@@ -8,7 +8,7 @@ using std::string;
 #include "Conn.h"
 #include "Event.h"
 #include "NetVar.h"
-#include "PIA.h"
+#include "analyzer/protocols/pia/PIA.h"
 
 #include "analyzer/Manager.h"
 

src/RuleCondition.cc

@@ -1,7 +1,7 @@
 #include "config.h"
 
 #include "RuleCondition.h"
-#include "TCP.h"
+#include "analyzer/protocols/tcp/TCP.h"
 #include "Scope.h"
 
 static inline bool is_established(const TCP_Endpoint* e)

src/Sessions.cc

@@ -16,12 +16,12 @@
 #include "Reporter.h"
 #include "OSFinger.h"
 
-#include "ICMP.h"
+#include "analyzer/protocols/icmp/ICMP.h"
-#include "UDP.h"
+#include "analyzer/protocols/udp/UDP.h"
 
-#include "SteppingStone.h"
+#include "analyzer/protocols/stepping-stone/SteppingStone.h"
-#include "BackDoor.h"
+#include "analyzer/protocols/backdoor/BackDoor.h"
-#include "InterConn.h"
+#include "analyzer/protocols/interconn/InterConn.h"
 #include "Discard.h"
 #include "RuleMatcher.h"
 

src/Sessions.h

@@ -12,6 +12,8 @@
 #include "Stats.h"
 #include "NetVar.h"
 #include "TunnelEncapsulation.h"
+#include "analyzer/protocols/tcp/Stats.h"
+
 #include <utility>
 
 struct pcap_pkthdr;

src/Stats.cc

@@ -389,84 +389,6 @@ void SegmentProfiler::Report()
 	reporter->SegmentProfile(name, loc, dtime, dmem);
 	}
 
-
-TCPStateStats::TCPStateStats()
-	{
-	for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i )
-		for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j )
-			state_cnt[i][j] = 0;
-	}
-
-void TCPStateStats::ChangeState(EndpointState o_prev, EndpointState o_now,
-				EndpointState r_prev, EndpointState r_now)
-	{
-	--state_cnt[o_prev][r_prev];
-	++state_cnt[o_now][r_now];
-	}
-
-void TCPStateStats::FlipState(EndpointState orig, EndpointState resp)
-	{
-	--state_cnt[orig][resp];
-	++state_cnt[resp][orig];
-	}
-
-unsigned int TCPStateStats::NumStatePartial() const
-	{
-	unsigned int sum = 0;
-	for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i )
-		{
-		sum += state_cnt[TCP_ENDPOINT_PARTIAL][i];
-		sum += state_cnt[i][TCP_ENDPOINT_PARTIAL];
-		}
-
-	return sum;
-	}
-
-void TCPStateStats::PrintStats(BroFile* file, const char* prefix)
-	{
-	file->Write(prefix);
-	file->Write("        Inact.  Syn.    SA      Part.   Est.    Fin.    Rst.\n");
-
-	for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i )
-		{
-		file->Write(prefix);
-
-		switch ( i ) {
-#define STATE_STRING(state, str) \
-	case state: \
-		file->Write(str); \
-		break;
-
-		STATE_STRING(TCP_ENDPOINT_INACTIVE, "Inact.");
-		STATE_STRING(TCP_ENDPOINT_SYN_SENT, "Syn.  ");
-		STATE_STRING(TCP_ENDPOINT_SYN_ACK_SENT, "SA    ");
-		STATE_STRING(TCP_ENDPOINT_PARTIAL, "Part. ");
-		STATE_STRING(TCP_ENDPOINT_ESTABLISHED, "Est.  ");
-		STATE_STRING(TCP_ENDPOINT_CLOSED, "Fin.  ");
-		STATE_STRING(TCP_ENDPOINT_RESET, "Rst.  ");
-
-		}
-
-		file->Write("  ");
-
-		for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j )
-			{
-			unsigned int n = state_cnt[i][j];
-			if ( n > 0 )
-				{
-				char buf[32];
-				safe_snprintf(buf, sizeof(buf), "%-8d", state_cnt[i][j]);
-				file->Write(buf);
-				}
-			else
-				file->Write("        ");
-			}
-
-		file->Write("\n");
-		}
-	}
-
-
 PacketProfiler::PacketProfiler(unsigned int mode, double freq,
 				BroFile* arg_file)
 	{

src/Stats.h

@@ -7,9 +7,6 @@
 #include <sys/time.h>
 #include <sys/resource.h>
 
-#include "TCP_Endpoint.h"
-
-
 // Object called by SegmentProfiler when it is done and reports its
 // cumulative CPU/memory statistics.
 class SegmentStatsReporter {
@@ -121,67 +118,6 @@ extern uint64 tot_ack_bytes;
 extern uint64 tot_gap_events;
 extern uint64 tot_gap_bytes;
 
-
-// A TCPStateStats object tracks the distribution of TCP states for
-// the currently active connections.  
-class TCPStateStats {
-public:
-	TCPStateStats();
-	~TCPStateStats() { }
-
-	void ChangeState(EndpointState o_prev, EndpointState o_now,
-				EndpointState r_prev, EndpointState r_now);
-	void FlipState(EndpointState orig, EndpointState resp);
-
-	void StateEntered (EndpointState o_state, EndpointState r_state)
-		{ ++state_cnt[o_state][r_state]; }
-	void StateLeft (EndpointState o_state, EndpointState r_state)
-		{ --state_cnt[o_state][r_state]; }
-
-	unsigned int Cnt(EndpointState state) const
-		{ return Cnt(state, state); }
-	unsigned int Cnt(EndpointState state1, EndpointState state2) const
-		{ return state_cnt[state1][state2]; }
-
-	unsigned int NumStateEstablished() const
-		{ return Cnt(TCP_ENDPOINT_ESTABLISHED); }
-	unsigned int NumStateHalfClose() const
-		{ // corresponds to S2,S3
-		return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_CLOSED) +
-			Cnt(TCP_ENDPOINT_CLOSED, TCP_ENDPOINT_ESTABLISHED);
-		}
-	unsigned int NumStateHalfRst() const
-		{
-		return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_RESET) +
-			Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_ESTABLISHED);
-		}
-	unsigned int NumStateClosed() const
-		{ return Cnt(TCP_ENDPOINT_CLOSED); }
-	unsigned int NumStateRequest() const
-		{
-		assert(Cnt(TCP_ENDPOINT_INACTIVE, TCP_ENDPOINT_SYN_SENT)==0);
-		return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_INACTIVE);
-		}
-	unsigned int NumStateSuccRequest() const
-		{
-		return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_SYN_ACK_SENT) +
-			Cnt(TCP_ENDPOINT_SYN_ACK_SENT, TCP_ENDPOINT_SYN_SENT);
-		}
-	unsigned int NumStateRstRequest() const
-		{
-		return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_RESET) +
-			Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_SYN_SENT);
-		}
-	unsigned int NumStateInactive() const
-		{ return Cnt(TCP_ENDPOINT_INACTIVE); }
-	unsigned int NumStatePartial() const;
-
-	void PrintStats(BroFile* file, const char* prefix);
-
-private:
-	unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1];
-};
-
 class PacketProfiler {
 public:
 	PacketProfiler(unsigned int mode, double freq, BroFile* arg_file);

src/analyzer/Analyzer.cc

@@ -4,7 +4,7 @@
 #include "Analyzer.h"
 #include "Manager.h"
 
-#include "../PIA.h"
+#include "analyzer/protocols/pia/PIA.h"
 #include "../Event.h"
 
 namespace analyzer {

src/analyzer/Manager.cc

@@ -1,16 +1,17 @@
 
 #include "Manager.h"
 
-#include "PIA.h"
 #include "Hash.h"
-#include "ICMP.h"
-#include "UDP.h"
-#include "TCP.h"
 #include "Val.h"
-#include "BackDoor.h"
+
-#include "InterConn.h"
+#include "analyzer/protocols/backdoor/BackDoor.h"
-#include "SteppingStone.h"
+#include "analyzer/protocols/conn-size/ConnSize.h"
-#include "ConnSizeAnalyzer.h"
+#include "analyzer/protocols/icmp/ICMP.h"
+#include "analyzer/protocols/interconn/InterConn.h"
+#include "analyzer/protocols/pia/PIA.h"
+#include "analyzer/protocols/stepping-stone/SteppingStone.h"
+#include "analyzer/protocols/tcp/TCP.h"
+#include "analyzer/protocols/udp/UDP.h"
 
 #include "plugin/Manager.h"
 
@@ -153,15 +154,16 @@ void Manager::RegisterAnalyzerComponent(Component* component)
 	if ( Lookup(component->Name()) )
 		reporter->FatalError("Analyzer %s defined more than once", component->Name());
 
-	DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)",
+	string name = to_upper(component->Name());
-		component->Name(), component->Tag().AsString().c_str());
 
-	analyzers_by_name.insert(std::make_pair(component->Name(), component));
+	DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)",
+		name.c_str(), component->Tag().AsString().c_str());
+
+	analyzers_by_name.insert(std::make_pair(name, component));
 	analyzers_by_tag.insert(std::make_pair(component->Tag(), component));
 	analyzers_by_val.insert(std::make_pair(component->Tag().AsEnumVal()->InternalInt(), component));
 
 	// Install enum "Analyzer::ANALYZER_*"
-	string name = to_upper(component->Name());
 	string id = fmt("ANALYZER_%s", name.c_str());
 	tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().AsEnumVal()->InternalInt(), true);
 	}
@@ -306,7 +308,9 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn)
 	if ( ! c->Enabled() )
 		return 0;
 
-	assert(c->Factory());
+	if ( ! c->Factory() )
+		reporter->InternalError("analyzer %s cannot be instantiated dynamically", GetAnalyzerName(tag));
+
 	Analyzer* a = c->Factory()(conn);
 
 	if ( ! a )

src/analyzer/protocols/BuiltInAnalyzers.cc

@@ -1,119 +0,0 @@
-
-// TODO: This file will eventually go away once we've converrted all
-// analyzers into separate plugins.
-
-#include "BuiltInAnalyzers.h"
-#include "analyzer/Component.h"
-
-#include "../../binpac_bro.h"
-
-#include "AYIYA.h"
-#include "BackDoor.h"
-#include "BitTorrent.h"
-#include "BitTorrentTracker.h"
-#include "Finger.h"
-#include "InterConn.h"
-#include "NTP.h"
-#include "ICMP.h"
-#include "SteppingStone.h"
-#include "IRC.h"
-#include "SMTP.h"
-#include "FTP.h"
-#include "FileAnalyzer.h"
-#include "DNS.h"
-#include "DHCP-binpac.h"
-#include "Telnet.h"
-#include "Rlogin.h"
-#include "RSH.h"
-#include "DCE_RPC.h"
-#include "Gnutella.h"
-#include "Ident.h"
-#include "Modbus.h"
-#include "NCP.h"
-#include "NetbiosSSN.h"
-#include "SMB.h"
-#include "NFS.h"
-#include "Portmap.h"
-#include "POP3.h"
-#include "SOCKS.h"
-#include "SSH.h"
-#include "Teredo.h"
-#include "ConnSizeAnalyzer.h"
-#include "GTPv1.h"
-
-using namespace analyzer;
-
-BuiltinAnalyzers builtin_analyzers;
-
-#define DEFINE_ANALYZER(name, factory) \
-	AddComponent(new Component(name, factory))
-
-void BuiltinAnalyzers::Init()
-	{
-	SetName("Core-Analyzers");
-	SetDescription("Built-in protocol analyzers");
-	SetVersion(BRO_PLUGIN_VERSION_BUILTIN);
-
-	DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer);
-	DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer);
-
-	DEFINE_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer);
-
-	DEFINE_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer);
-
-	DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("LOGIN", 0);  // just a base class
-	DEFINE_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("NETBIOSSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("RPC", 0);
-	DEFINE_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer);
-
-	DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer);
-	DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer);
-
-	DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer);
-
-	DEFINE_ANALYZER("FILE", File_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("TCPSTATS", TCPStats_Analyzer::InstantiateAnalyzer);
-	DEFINE_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer);
-
-	DEFINE_ANALYZER("CONTENTS", 0);
-	DEFINE_ANALYZER("CONTENTLINE", 0);
-	DEFINE_ANALYZER("NVT", 0);
-	DEFINE_ANALYZER("ZIP", 0);
-	DEFINE_ANALYZER("CONTENTS_DNS", 0);
-	DEFINE_ANALYZER("CONTENTS_NETBIOSSSN", 0);
-	DEFINE_ANALYZER("CONTENTS_NCP", 0);
-	DEFINE_ANALYZER("CONTENTS_RLOGIN", 0);
-	DEFINE_ANALYZER("CONTENTS_RSH", 0);
-	DEFINE_ANALYZER("CONTENTS_DCE_RPC", 0);
-	DEFINE_ANALYZER("CONTENTS_SMB", 0);
-	DEFINE_ANALYZER("CONTENTS_RPC", 0);
-	DEFINE_ANALYZER("CONTENTS_NFS", 0);
-	DEFINE_ANALYZER("FTP_ADAT", 0);
-	}
-

src/analyzer/protocols/BuiltInAnalyzers.h

@@ -1,17 +0,0 @@
-
-#ifndef ANALYZER_BUILTIN_ANALYZERS_H
-#define ANALYZER_BUILTIN_ANALYZERS_H
-
-#include "plugin/Plugin.h"
-
-namespace analyzer {
-
-class BuiltinAnalyzers : public plugin::Plugin {
-public:
-	virtual void Init();
-};
-
-}
-
-
-#endif

src/analyzer/protocols/CMakeLists.txt

@@ -1,4 +1,37 @@
 
+add_subdirectory(ayiya)
+add_subdirectory(backdoor)
+add_subdirectory(bittorrent)
+add_subdirectory(conn-size)
+add_subdirectory(dce-rpc)
+add_subdirectory(dhcp)
+add_subdirectory(dns)
+add_subdirectory(file)
+add_subdirectory(finger)
+add_subdirectory(ftp)
+add_subdirectory(gnutella)
+add_subdirectory(gtpv1)
 add_subdirectory(http)
+add_subdirectory(icmp)
+add_subdirectory(ident)
+add_subdirectory(interconn)
+add_subdirectory(irc)
+add_subdirectory(login)
+add_subdirectory(modbus)
+add_subdirectory(ncp)
+add_subdirectory(netbios-ssn)
+add_subdirectory(ntp)
+add_subdirectory(pia)
+add_subdirectory(pop3)
+add_subdirectory(rpc)
+add_subdirectory(smb)
+add_subdirectory(smtp)
+add_subdirectory(socks)
+add_subdirectory(ssh)
 add_subdirectory(ssl)
+add_subdirectory(stepping-stone)
 add_subdirectory(syslog)
+add_subdirectory(tcp)
+add_subdirectory(teredo)
+add_subdirectory(udp)
+add_subdirectory(zip)

src/analyzer/protocols/TODO

@@ -0,0 +1,10 @@
+
+- introduce namespace into analyzers
+- fill events.bif
+- add functions.bif where needed
+- move ARP
+- move NetFlow
+- update *.h guards
+- cleanup analyzer descriptions
+- can now lower-case the analyzer name in plugin
+

src/analyzer/protocols/ayiya/CMakeLists.txt

@@ -0,0 +1,10 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(AYIYA)
+bro_plugin_cc(AYIYA.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac)
+bro_plugin_end()

src/analyzer/protocols/ayiya/Plugin.cc

@@ -0,0 +1,10 @@
+
+#include "plugin/Plugin.h"
+
+#include "AYIYA.h"
+
+BRO_PLUGIN_BEGIN(AYIYA)
+	BRO_PLUGIN_DESCRIPTION("AYIYA Analyzer");
+	BRO_PLUGIN_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocols/backdoor/BackDoor.cc

@@ -5,7 +5,7 @@
 #include "BackDoor.h"
 #include "Event.h"
 #include "Net.h"
-#include "TCP.h"
+#include "analyzer/protocols/tcp/TCP.h"
 
 BackDoorEndpoint::BackDoorEndpoint(TCP_Endpoint* e)
 	{

src/analyzer/protocols/backdoor/BackDoor.h

@@ -3,10 +3,10 @@
 #ifndef backdoor_h
 #define backdoor_h
 
-#include "TCP.h"
+#include "analyzer/protocols/tcp/TCP.h"
 #include "Timer.h"
 #include "NetVar.h"
-#include "Login.h"
+#include "analyzer/protocols/login/Login.h"
 
 class BackDoorEndpoint {
 public:

src/analyzer/protocols/backdoor/CMakeLists.txt

@@ -0,0 +1,9 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(BackDoor)
+bro_plugin_cc(BackDoor.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_end()

src/analyzer/protocols/backdoor/Plugin.cc

@@ -0,0 +1,10 @@
+
+#include "plugin/Plugin.h"
+
+#include "BackDoor.h"
+
+BRO_PLUGIN_BEGIN(BackDoor)
+	BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)");
+	BRO_PLUGIN_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocols/bittorrent/BitTorrent.cc

@@ -1,7 +1,7 @@
 // This code contributed by Nadi Sarrar.
 
 #include "BitTorrent.h"
-#include "TCP_Reassembler.h"
+#include "analyzer/protocols/tcp/TCP_Reassembler.h"
 
 BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c)
 : TCP_ApplicationAnalyzer("BITTORRENT", c)

src/analyzer/protocols/bittorrent/BitTorrent.h

@@ -3,7 +3,7 @@
 #ifndef bittorrent_h
 #define bittorrent_h
 
-#include "TCP.h"
+#include "analyzer/protocols/tcp/TCP.h"
 
 #include "bittorrent_pac.h"
 

src/analyzer/protocols/bittorrent/BitTorrentTracker.cc

@@ -1,7 +1,7 @@
 // This code contributed by Nadi Sarrar.
 
 #include "BitTorrentTracker.h"
-#include "TCP_Reassembler.h"
+#include "analyzer/protocols/tcp/TCP_Reassembler.h"
 
 #include <sys/types.h>
 #include <regex.h>

src/analyzer/protocols/bittorrent/BitTorrentTracker.h

@@ -3,7 +3,7 @@
 #ifndef bittorrenttracker_h
 #define bittorrenttracker_h
 
-#include "TCP.h"
+#include "analyzer/protocols/tcp/TCP.h"
 
 #define BTTRACKER_BUF 2048
 

src/analyzer/protocols/bittorrent/CMakeLists.txt

@@ -0,0 +1,10 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(BitTorrent)
+bro_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac)
+bro_plugin_end()

src/analyzer/protocols/bittorrent/Plugin.cc

@@ -0,0 +1,12 @@
+
+#include "plugin/Plugin.h"
+
+#include "BitTorrent.h"
+#include "BitTorrentTracker.h"
+
+BRO_PLUGIN_BEGIN(BitTorrent)
+	BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer");
+	BRO_PLUGIN_ANALYZER("BitTorrent", BitTorrent_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("BitTorrentTracker", BitTorrentTracker_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocols/conn-size/CMakeLists.txt

@@ -0,0 +1,9 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(ConnSize)
+bro_plugin_cc(ConnSize.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_end()

src/analyzer/protocols/conn-size/ConnSize.cc

@@ -3,8 +3,8 @@
 // See ConnSize.h for more extensive comments.
 
 
-#include "ConnSizeAnalyzer.h"
+#include "ConnSize.h"
-#include "TCP.h"
+#include "analyzer/protocols/tcp/TCP.h"
 
 
 

src/analyzer/protocols/conn-size/Plugin.cc

@@ -0,0 +1,10 @@
+
+#include "plugin/Plugin.h"
+
+#include "ConnSize.h"
+
+BRO_PLUGIN_BEGIN(ConnSize)
+	BRO_PLUGIN_DESCRIPTION("Connection size analyzer");
+	BRO_PLUGIN_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocols/dce-rpc/CMakeLists.txt

@@ -0,0 +1,11 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(DCE_RPC)
+bro_plugin_cc(DCE_RPC.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_pac(dce_rpc.pac dce_rpc-protocol.pac dce_rpc-analyzer.pac)
+bro_plugin_pac(dce_rpc_simple.pac dce_rpc-protocol.pac epmapper.pac)
+bro_plugin_end()

src/analyzer/protocols/dce-rpc/DCE_RPC.h

@@ -7,7 +7,7 @@
 // Windows systems) and shouldn't be considered as stable.
 
 #include "NetVar.h"
-#include "TCP.h"
+#include "analyzer/protocols/tcp/TCP.h"
 #include "IPAddr.h"
 
 #include "dce_rpc_simple_pac.h"

src/analyzer/protocols/dce-rpc/Plugin.cc

@@ -0,0 +1,11 @@
+
+#include "plugin/Plugin.h"
+
+#include "DCE_RPC.h"
+
+BRO_PLUGIN_BEGIN(DCE_RPC)
+	BRO_PLUGIN_DESCRIPTION("DCE-RPC Analyzer");
+	BRO_PLUGIN_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC");
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocols/dhcp/CMakeLists.txt

@@ -0,0 +1,10 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(DHCP)
+bro_plugin_cc(DHCP.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac)
+bro_plugin_end()

src/analyzer/protocols/dhcp/DHCP.cc

@@ -1,22 +1,23 @@
-#include "DHCP-binpac.h"
 
-DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn)
+#include "DHCP.h"
+
+DHCP_Analyzer::DHCP_Analyzer(Connection* conn)
 : Analyzer("DHCP", conn)
 	{
 	interp = new binpac::DHCP::DHCP_Conn(this);
 	}
 
-DHCP_Analyzer_binpac::~DHCP_Analyzer_binpac()
+DHCP_Analyzer::~DHCP_Analyzer()
 	{
 	delete interp;
 	}
 
-void DHCP_Analyzer_binpac::Done()
+void DHCP_Analyzer::Done()
 	{
 	Analyzer::Done();
 	}
 
-void DHCP_Analyzer_binpac::DeliverPacket(int len, const u_char* data,
+void DHCP_Analyzer::DeliverPacket(int len, const u_char* data,
 			bool orig, int seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

src/analyzer/protocols/dhcp/DHCP.h

@@ -1,22 +1,21 @@
 #ifndef dhcp_binpac_h
 #define dhcp_binpac_h
 
-#include "UDP.h"
+#include "analyzer/protocols/udp/UDP.h"
 
 #include "dhcp_pac.h"
 
-
+class DHCP_Analyzer : public analyzer::Analyzer {
-class DHCP_Analyzer_binpac : public analyzer::Analyzer {
 public:
-	DHCP_Analyzer_binpac(Connection* conn);
+	DHCP_Analyzer(Connection* conn);
-	virtual ~DHCP_Analyzer_binpac();
+	virtual ~DHCP_Analyzer();
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
 					int seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
-		{ return new DHCP_Analyzer_binpac(conn); }
+		{ return new DHCP_Analyzer(conn); }
 
 protected:
 	binpac::DHCP::DHCP_Conn* interp;

src/analyzer/protocols/dhcp/Plugin.cc

@@ -0,0 +1,10 @@
+
+#include "plugin/Plugin.h"
+
+#include "DHCP.h"
+
+BRO_PLUGIN_BEGIN(DHCP)
+	BRO_PLUGIN_DESCRIPTION("DHCP Analyzer");
+	BRO_PLUGIN_ANALYZER("DHCP", DHCP_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocols/dns/CMakeLists.txt

@@ -0,0 +1,9 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(DNS)
+bro_plugin_cc(DNS.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_end()

src/analyzer/protocols/dns/DNS.h

@@ -3,7 +3,7 @@
 #ifndef dns_h
 #define dns_h
 
-#include "TCP.h"
+#include "analyzer/protocols/tcp/TCP.h"
 #include "binpac_bro.h"
 
 typedef enum {

src/analyzer/protocols/dns/Plugin.cc

@@ -0,0 +1,11 @@
+
+#include "plugin/Plugin.h"
+
+#include "DNS.h"
+
+BRO_PLUGIN_BEGIN(DNS)
+	BRO_PLUGIN_DESCRIPTION("DNS Analyzer");
+	BRO_PLUGIN_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS");
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocols/file/CMakeLists.txt

@@ -0,0 +1,9 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(File)
+bro_plugin_cc(File.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_end()

src/analyzer/protocols/file/File.cc

@@ -1,6 +1,6 @@
 #include <algorithm>
 
-#include "FileAnalyzer.h"
+#include "File.h"
 #include "Reporter.h"
 #include "util.h"
 

src/analyzer/protocols/file/File.h

@@ -3,7 +3,7 @@
 #ifndef FILEANALYZER_H
 #define FILEANALYZER_H
 
-#include "TCP.h"
+#include "analyzer/protocols/tcp/TCP.h"
 
 #include <magic.h>
 

src/analyzer/protocols/file/Plugin.cc

@@ -0,0 +1,10 @@
+
+#include "plugin/Plugin.h"
+
+#include "./File.h"
+
+BRO_PLUGIN_BEGIN(File)
+	BRO_PLUGIN_DESCRIPTION("Generic File Analyzer");
+	BRO_PLUGIN_ANALYZER("File", File_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocols/finger/CMakeLists.txt

@@ -0,0 +1,9 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Finger)
+bro_plugin_cc(Finger.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_end()

src/analyzer/protocols/finger/Finger.cc

@@ -7,7 +7,7 @@
 #include "NetVar.h"
 #include "Finger.h"
 #include "Event.h"
-#include "ContentLine.h"
+#include "analyzer/protocols/tcp/ContentLine.h"
 
 Finger_Analyzer::Finger_Analyzer(Connection* conn)
 : TCP_ApplicationAnalyzer("FINGER", conn)

src/analyzer/protocols/finger/Finger.h

@@ -3,7 +3,7 @@
 #ifndef finger_h
 #define finger_h
 
-#include "TCP.h"
+#include "analyzer/protocols/tcp/TCP.h"
 
 class ContentLine_Analyzer;
 

src/analyzer/protocols/finger/Plugin.cc

@@ -0,0 +1,10 @@
+
+#include "plugin/Plugin.h"
+
+#include "Finger.h"
+
+BRO_PLUGIN_BEGIN(Finger)
+	BRO_PLUGIN_DESCRIPTION("Finger Analyzer");
+	BRO_PLUGIN_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocols/ftp/CMakeLists.txt

@@ -0,0 +1,9 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(FTP)
+bro_plugin_cc(FTP.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_end()

src/analyzer/protocols/ftp/FTP.cc

@@ -6,10 +6,10 @@
 
 #include "NetVar.h"
 #include "FTP.h"
-#include "NVT.h"
 #include "Event.h"
 #include "Base64.h"
 #include "analyzer/Manager.h"
+#include "analyzer/protocols/login/NVT.h"
 
 FTP_Analyzer::FTP_Analyzer(Connection* conn)
 : TCP_ApplicationAnalyzer("FTP", conn)

src/analyzer/protocols/ftp/FTP.h

@@ -3,8 +3,8 @@
 #ifndef ftp_h
 #define ftp_h
 
-#include "NVT.h"
+#include "analyzer/protocols/login/NVT.h"
-#include "TCP.h"
+#include "analyzer/protocols/tcp/TCP.h"
 
 class FTP_Analyzer : public TCP_ApplicationAnalyzer {
 public:

src/analyzer/protocols/ftp/Plugin.cc

@@ -0,0 +1,11 @@
+
+#include "plugin/Plugin.h"
+
+#include "FTP.h"
+
+BRO_PLUGIN_BEGIN(FTP)
+	BRO_PLUGIN_DESCRIPTION("FTP Analyzer");
+	BRO_PLUGIN_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT");
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocols/gnutella/CMakeLists.txt

@@ -0,0 +1,9 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Gnutella)
+bro_plugin_cc(Gnutella.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_end()

src/analyzer/protocols/gnutella/Gnutella.cc

@@ -9,7 +9,7 @@
 #include "NetVar.h"
 #include "Gnutella.h"
 #include "Event.h"
-#include "PIA.h"
+#include "analyzer/protocols/pia/PIA.h"
 #include "analyzer/Manager.h"
 
 GnutellaMsgState::GnutellaMsgState()

src/analyzer/protocols/gnutella/Gnutella.h

@@ -3,7 +3,7 @@
 #ifndef gnutella_h
 #define gnutella_h
 
-#include "TCP.h"
+#include "analyzer/protocols/tcp/TCP.h"
 
 #define ORIG_OK               0x1
 #define RESP_OK               0x2

src/analyzer/protocols/gnutella/Plugin.cc

@@ -0,0 +1,10 @@
+
+#include "plugin/Plugin.h"
+
+#include "Gnutella.h"
+
+BRO_PLUGIN_BEGIN(Gnutella)
+	BRO_PLUGIN_DESCRIPTION("Gnutella Analyzer");
+	BRO_PLUGIN_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocols/gtpv1/CMakeLists.txt

@@ -0,0 +1,10 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(GTPV1)
+bro_plugin_cc(GTPv1.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac)
+bro_plugin_end()

src/analyzer/protocols/gtpv1/Plugin.cc

@@ -0,0 +1,10 @@
+
+#include "plugin/Plugin.h"
+
+#include "GTPv1.h"
+
+BRO_PLUGIN_BEGIN(GTPV1)
+	BRO_PLUGIN_DESCRIPTION("GTPv1 Analyzer");
+	BRO_PLUGIN_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocols/http/HTTP.h

@@ -3,15 +3,16 @@
 #ifndef http_h
 #define http_h
 
-#include "TCP.h"
+#include "analyzer/protocols/tcp/TCP.h"
-#include "ContentLine.h"
+#include "analyzer/protocols/tcp/ContentLine.h"
+#include "analyzer/protocols/zip/ZIP.h"
 #include "MIME.h"
 #include "binpac_bro.h"
-#include "ZIP.h"
 #include "IPAddr.h"
-#include "HTTP.h"
 #include "events.bif.h"
 
+#include "HTTP.h"
+
 enum CHUNKED_TRANSFER_STATE {
 	NON_CHUNKED_TRANSFER,
 	BEFORE_CHUNK,

src/analyzer/protocols/icmp/CMakeLists.txt

@@ -0,0 +1,9 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(ICMP)
+bro_plugin_cc(ICMP.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_end()

src/analyzer/protocols/icmp/Plugin.cc

@@ -0,0 +1,10 @@
+
+#include "plugin/Plugin.h"
+
+#include "ICMP.h"
+
+BRO_PLUGIN_BEGIN(ICMP)
+	BRO_PLUGIN_DESCRIPTION("ICMP Analyzer");
+	BRO_PLUGIN_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END