From bd52ab1a5546fd6e8fd99c0cd89a02e999e74b75 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Fri, 11 Nov 2022 15:54:31 -0700
Subject: [PATCH 1/4] Rework setting adding ports to map slightly

---
 src/Val.cc | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/Val.cc b/src/Val.cc
index cf1c2b37b6..c00fdbfe55 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -3972,10 +3972,9 @@ const PortValPtr& ValManager::Port(uint32_t port_num, TransportProto port_type)
 		port_num = 0;
 		}
 
-	uint32_t port_masked = PortVal::Mask(port_num, port_type);
-	if ( ports.find(port_masked) == ports.end() )
-		ports[port_masked] = IntrusivePtr{AdoptRef{},
-		                                  new PortVal(PortVal::Mask(port_num, port_type))};
+	auto port_masked = PortVal::Mask(port_num, port_type);
+	if ( ports.count(port_masked) == 0 )
+		ports.insert({port_masked, make_intrusive<PortVal>(port_masked)});
 
 	return ports[port_masked];
 	}

From accac2d3bb5b11e8dab5f868fd7e21ac7e23b030 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Fri, 11 Nov 2022 16:02:52 -0700
Subject: [PATCH 2/4] Remove unneeded forward-declaration of select()

---
 src/RunState.cc | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/src/RunState.cc b/src/RunState.cc
index 6a1d4c3387..67041cc915 100644
--- a/src/RunState.cc
+++ b/src/RunState.cc
@@ -40,13 +40,6 @@ extern "C"
 #include "zeek/plugin/Manager.h"
 #include "zeek/session/Manager.h"
 
-#ifndef _MSC_VER
-extern "C"
-	{
-	extern int select(int, fd_set*, fd_set*, fd_set*, struct timeval*);
-	}
-#endif
-
 static double last_watchdog_proc_time = 0.0; // value of above during last watchdog
 extern int signal_val;
 

From bfd5b06943f72992170935856e774725691c3a8d Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Fri, 11 Nov 2022 16:32:55 -0700
Subject: [PATCH 3/4] Minor renaming changes to event handler stats bif, plus a
 test

---
 scripts/base/init-bare.zeek                         | 6 +++---
 src/stats.bif                                       | 9 +++------
 testing/btest/Baseline/bifs.event-handler-stats/out | 1 +
 testing/btest/bifs/event-handler-stats.zeek         | 7 +++++++
 4 files changed, 14 insertions(+), 9 deletions(-)
 create mode 100644 testing/btest/Baseline/bifs.event-handler-stats/out
 create mode 100644 testing/btest/bifs/event-handler-stats.zeek

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 767c33cb1a..c1f73949cc 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -797,9 +797,9 @@ type ReporterStats: record {
 ## .. zeek:see:: get_event_handler_call_counts
 type EventNameCounter: record {
 	## Name of the zeek event.
-	name: 			string 	&log;
-	## Times it was queued, as captured by event hook.
-	times_queued: 	count 	&log;
+	name: string &log;
+	## Times it was called, as counted by the event handlers.
+	times_called: count &log;
 } &log;
 type EventNameStats: vector of EventNameCounter;
 
diff --git a/src/stats.bif b/src/stats.bif
index 9adc49b16c..0cf113b921 100644
--- a/src/stats.bif
+++ b/src/stats.bif
@@ -485,17 +485,15 @@ function get_reporter_stats%(%): ReporterStats
 	return r;
 	%}
 
-## Returns a list of event handlers that were called and the number of times
-## each was called.
+## Returns statistics about calls to event handlers.
 ##
 ## Returns: A record with event call statistics.
 ##
-function get_event_handler_call_counts%(%): EventNameStats
+function get_event_handler_stats%(%): EventNameStats
   %{
 	auto rval = zeek::make_intrusive<zeek::VectorVal>(zeek::id::find_type<VectorType>("EventNameStats"));
 	const auto& recordType = zeek::id::find_type<RecordType>("EventNameCounter");
 
-	int i = 0;
 	const auto& events = event_registry->UsedHandlers();
 	for ( const auto& name : events )
 		{
@@ -507,8 +505,7 @@ function get_event_handler_call_counts%(%): EventNameStats
 			auto eventStatRecord = zeek::make_intrusive<zeek::RecordVal>(recordType);
 			eventStatRecord->Assign(0, zeek::make_intrusive<zeek::StringVal>(name));
 			eventStatRecord->Assign(1, zeek::val_mgr->Count(handler->CallCount()));
-			rval->Assign(i, std::move(eventStatRecord));
-			i++;
+			rval->Append(std::move(eventStatRecord));
 			}
 		}
 
diff --git a/testing/btest/Baseline/bifs.event-handler-stats/out b/testing/btest/Baseline/bifs.event-handler-stats/out
new file mode 100644
index 0000000000..90d679233f
--- /dev/null
+++ b/testing/btest/Baseline/bifs.event-handler-stats/out
@@ -0,0 +1 @@
+[[name=Broker::log_flush, times_called=2], [name=ChecksumOffloading::check, times_called=2], [name=NetControl::init, times_called=1], [name=analyzer_confirmation_info, times_called=1], [name=connection_established, times_called=1], [name=connection_state_remove, times_called=1], [name=file_new, times_called=1], [name=file_over_new_connection, times_called=1], [name=file_sniff, times_called=1], [name=file_state_remove, times_called=1], [name=filter_change_tracking, times_called=3], [name=get_file_handle, times_called=4], [name=http_begin_entity, times_called=2], [name=http_end_entity, times_called=2], [name=http_header, times_called=13], [name=http_message_done, times_called=2], [name=http_reply, times_called=1], [name=http_request, times_called=1], [name=net_done, times_called=1], [name=new_connection, times_called=1], [name=run_sync_hook, times_called=2], [name=zeek_done, times_called=1], [name=zeek_init, times_called=1]]
diff --git a/testing/btest/bifs/event-handler-stats.zeek b/testing/btest/bifs/event-handler-stats.zeek
new file mode 100644
index 0000000000..129a5d8809
--- /dev/null
+++ b/testing/btest/bifs/event-handler-stats.zeek
@@ -0,0 +1,7 @@
+# @TEST-EXEC: zeek -r $TRACES/http/get.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event zeek_done()
+{
+	print(get_event_handler_stats());
+}
\ No newline at end of file

From 51cdbbd59da0f7dee00e5950750e0ca824d73a80 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <timwoj@gmail.com>
Date: Fri, 11 Nov 2022 18:26:33 -0700
Subject: [PATCH 4/4] Re-enable strcasestr on Windows, fix linking error

---
 src/util.cc | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/src/util.cc b/src/util.cc
index 6b01b1f28b..52b99e913d 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -1343,20 +1343,7 @@ const char* strpbrk_n(size_t len, const char* s, const char* charset)
 	return nullptr;
 	}
 
-#if ! defined(HAVE_STRCASESTR) && ! defined(_MSC_VER)
-
-TEST_CASE("util strcasestr")
-	{
-	const char* s = "this is a string";
-	const char* out = strcasestr(s, "is");
-	CHECK(strcmp(out, "is a string") == 0);
-
-	const char* out2 = strcasestr(s, "IS");
-	CHECK(strcmp(out2, "is a string") == 0);
-
-	const char* out3 = strcasestr(s, "not there");
-	CHECK(strcmp(out2, s) == 0);
-	}
+#if ! defined(HAVE_STRCASESTR)
 
 // This code is derived from software contributed to BSD by Chris Torek.
 char* strcasestr(const char* s, const char* find)
@@ -1384,6 +1371,20 @@ char* strcasestr(const char* s, const char* find)
 
 	return (char*)s;
 	}
+
+TEST_CASE("util strcasestr")
+	{
+	const char* s = "this is a string";
+	const char* out = strcasestr(s, "is");
+	CHECK(strcmp(out, "is a string") == 0);
+
+	const char* out2 = strcasestr(s, "IS");
+	CHECK(strcmp(out2, "is a string") == 0);
+
+	const char* out3 = strcasestr(s, "not there");
+	CHECK(strcmp(out2, s) == 0);
+	}
+
 #endif
 
 TEST_CASE("util atoi_n")