Support namespaces / modules in bif. Checkpoint.

(now actually commiting all the files) This change is actually two-fold: a) bif's now accept module XYZ; statements and module::ID for function, const, event, enum, etc. declartation b) Added C++-namespaces to variables, functions, etc. that are declared in bif but accessed from C++ This required some (lightweight) re-factoring of the C++ codes. Note, event's don't have their own C++ namespace yet, since this would require a rather huge re-factoring. Compiles and passes test suite. New namespace feature not tested yet. Documentation to follow.
2025-10-04 07:38:19 +00:00 · 2011-02-11 09:37:23 -08:00 · 2011-02-11 09:37:23 -08:00 · f79ea244fa
commit f79ea244fa
parent 86fdd1dcf3
31 changed files with 332 additions and 228 deletions
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -83,7 +83,7 @@ flex_target(Scanner scan.l ${CMAKE_CURRENT_BINARY_DIR}/scan.cc
 set(bifcl_SRCS
   ${BISON_BIFParser_OUTPUTS}
   ${FLEX_BIFScanner_OUTPUTS}
-   bif_arg.cc
+   bif_arg.cc module_util.cc
 )
 add_executable(bifcl ${bifcl_SRCS})
@ -240,6 +240,7 @@ set(bro_SRCS
    main.cc
    net_util.cc
    util.cc
    module_util.cc
    Active.cc
    Analyzer.cc
    Anon.cc
--- a/src/DCE_RPC.cc
+++ b/src/DCE_RPC.cc
@ -85,7 +85,7 @@ UUID::UUID(const char* str)
 		internal_error("invalid UUID string: %s", str);
 	}
-typedef map<UUID, BroEnum::dce_rpc_if_id> uuid_map_t;
+typedef map<UUID, BifEnum::dce_rpc_if_id> uuid_map_t;
 static uuid_map_t& well_known_uuid_map()
 	{
@ -95,7 +95,7 @@ static uuid_map_t& well_known_uuid_map()
 	if ( initialized )
 		return the_map;
-	using namespace BroEnum;
+	using namespace BifEnum;
 	the_map[UUID("e1af8308-5d1f-11c9-91a4-08002b14a0fa")] = DCE_RPC_epmapper;
@ -186,14 +186,14 @@ DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b)
 	else
 		fragmented = 0;
-	ptype = (BroEnum::dce_rpc_ptype) bytes[2];
+	ptype = (BifEnum::dce_rpc_ptype) bytes[2];
 	frag_len = extract_uint16(LittleEndian(), bytes + 8);
 	}
 DCE_RPC_Session::DCE_RPC_Session(Analyzer* a)
 : analyzer(a),
  if_uuid("00000000-0000-0000-0000-000000000000"),
-  if_id(BroEnum::DCE_RPC_unknown_if)
+  if_id(BifEnum::DCE_RPC_unknown_if)
 	{
 	opnum = -1;
 	}
@ -234,7 +234,7 @@ void DCE_RPC_Session::DeliverPDU(int is_orig, int len, const u_char* data)
 		val_list* vl = new val_list;
 		vl->append(analyzer->BuildConnVal());
 		vl->append(new Val(is_orig, TYPE_BOOL));
-		vl->append(new EnumVal(data[2], BroTypePtr::Enum::dce_rpc_ptype));
+		vl->append(new EnumVal(data[2], BifTypePtr::Enum::dce_rpc_ptype));
 		vl->append(new StringVal(len, (const char*) data));
 		analyzer->ConnectionEvent(dce_rpc_message, vl);
@ -286,7 +286,7 @@ void DCE_RPC_Session::DeliverBind(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu
 			// conn->Weird(fmt("Unknown DCE_RPC interface %s",
 			// 		if_uuid.to_string()));
 #endif
-			if_id = BroEnum::DCE_RPC_unknown_if;
+			if_id = BifEnum::DCE_RPC_unknown_if;
 			}
 		else
 			if_id = uuid_it->second;
@ -296,7 +296,7 @@ void DCE_RPC_Session::DeliverBind(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu
 			val_list* vl = new val_list;
 			vl->append(analyzer->BuildConnVal());
 			vl->append(new StringVal(if_uuid.to_string()));
-			// vl->append(new EnumVal(if_id, BroTypePtr::Enum::dce_rpc_if_id));
+			// vl->append(new EnumVal(if_id, BifTypePtr::Enum::dce_rpc_if_id));
 			analyzer->ConnectionEvent(dce_rpc_bind, vl);
 			}
@ -321,7 +321,7 @@ void DCE_RPC_Session::DeliverRequest(const binpac::DCE_RPC_Simple::DCE_RPC_PDU*
 		}
 	switch ( if_id ) {
-	case BroEnum::DCE_RPC_epmapper:
+	case BifEnum::DCE_RPC_epmapper:
 		DeliverEpmapperRequest(pdu, req);
 		break;
@ -345,7 +345,7 @@ void DCE_RPC_Session::DeliverResponse(const binpac::DCE_RPC_Simple::DCE_RPC_PDU*
 		}
 	switch ( if_id ) {
-	case BroEnum::DCE_RPC_epmapper:
+	case BifEnum::DCE_RPC_epmapper:
 		DeliverEpmapperResponse(pdu, resp);
 		break;
--- a/src/DCE_RPC.h
+++ b/src/DCE_RPC.h
@ -91,7 +91,7 @@ class DCE_RPC_Header {
 public:
 	DCE_RPC_Header(Analyzer* a, const u_char* bytes);
-	BroEnum::dce_rpc_ptype PTYPE() const	{ return ptype; }
+	BifEnum::dce_rpc_ptype PTYPE() const	{ return ptype; }
 	int FragLen() const		{ return frag_len; }
 	int LittleEndian() const	{ return bytes[4] >> 4; }
 	bool Fragmented() const		{ return fragmented; }
@ -102,7 +102,7 @@ public:
 protected:
 	Analyzer* analyzer;
 	const u_char* bytes;
-	BroEnum::dce_rpc_ptype ptype;
+	BifEnum::dce_rpc_ptype ptype;
 	int frag_len;
 	bool fragmented;
 };
@ -138,7 +138,7 @@ protected:
 	Analyzer* analyzer;
 	UUID if_uuid;
-	BroEnum::dce_rpc_if_id if_id;
+	BifEnum::dce_rpc_if_id if_id;
 	int opnum;
 	struct {
 		dce_rpc_endpoint_addr addr;
--- a/src/DNS.h
+++ b/src/DNS.h
@ -267,7 +267,7 @@ public:
 					TCP_Endpoint* peer, int gen_event);
 	virtual int RewritingTrace()
 		{
-		return rewriting_dns_trace ||
+		return BifConst::rewriting_dns_trace ||
 			TCP_ApplicationAnalyzer::RewritingTrace();
 		}
--- a/src/FTP.h
+++ b/src/FTP.h
@ -16,7 +16,7 @@ public:
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual int RewritingTrace()
 		{
-		return rewriting_ftp_trace ||
+		return BifConst::rewriting_ftp_trace ||
 			TCP_ApplicationAnalyzer::RewritingTrace();
 		}
--- a/src/Finger.h
+++ b/src/Finger.h
@ -18,7 +18,7 @@ public:
 	// Line-based input.
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual int RewritingTrace()
-		{ return rewriting_finger_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
+		{ return BifConst::rewriting_finger_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Finger_Analyzer(conn); }
--- a/src/Func.cc
+++ b/src/Func.cc
@ -496,6 +496,18 @@ void builtin_run_time(const char* msg, BroObj* arg)
 		run_time(msg, arg);
 	}
 #include "bro.bif.func_h"
 #include "common-rw.bif.func_h"
 #include "finger-rw.bif.func_h"
 #include "ftp-rw.bif.func_h"
 #include "http-rw.bif.func_h"
 #include "ident-rw.bif.func_h"
 #include "smtp-rw.bif.func_h"
 #include "strings.bif.func_h"
 #include "dns-rw.bif.func_h"
 #include "bro.bif.func_def"
 #include "strings.bif.func_def"
@ -523,7 +535,7 @@ void init_builtin_funcs()
 bool check_built_in_call(BuiltinFunc* f, CallExpr* call)
 	{
-	if ( f->TheFunc() != bro_fmt )
+	if ( f->TheFunc() != BifFunc::bro_fmt )
 		return true;
 	const expr_list& args = call->Args()->Exprs();
--- a/src/HTTP.cc
+++ b/src/HTTP.cc
@ -633,7 +633,7 @@ void HTTP_Message::SetPlainDelivery(int length)
 	{
 	content_line->SetPlainDelivery(length);
-	if ( length > 0 && skip_http_data )
+	if ( length > 0 && BifConst::skip_http_data )
 		content_line->SkipBytesAfterThisLine(length);
 	if ( ! data_buffer )
--- a/src/HTTP.h
+++ b/src/HTTP.h
@ -170,7 +170,7 @@ public:
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void Undelivered(int seq, int len, bool orig);
 	virtual int RewritingTrace()
-		{ return rewriting_http_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
+		{ return BifConst::rewriting_http_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
 	// Overriden from TCP_ApplicationAnalyzer
 	virtual void EndpointEOF(bool is_orig);
--- a/src/Ident.h
+++ b/src/Ident.h
@ -16,7 +16,7 @@ public:
 	virtual void DeliverStream(int length, const u_char* data, bool is_orig);
 	virtual int RewritingTrace()
 		{
-		return rewriting_ident_trace ||
+		return BifConst::rewriting_ident_trace ||
 			TCP_ApplicationAnalyzer::RewritingTrace();
 		}
--- a/src/Net.cc
+++ b/src/Net.cc
@ -346,7 +346,7 @@ void net_init(name_list& interfaces, name_list& readfiles,
 		transformed_pkt_dump =
 			new PacketDumper(pkt_dumper->PcapDumper());
-	if ( anonymize_ip_addr )
+	if ( BifConst::anonymize_ip_addr )
 		init_ip_addr_anonymizers();
 	else
 		for ( int i = 0; i < NUM_ADDR_ANONYMIZATION_METHODS; ++i )
--- a/src/Portmap.cc
+++ b/src/Portmap.cc
@ -288,7 +288,7 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, int status, Val* r
 		}
 	else
 		{
-		vl->append(new EnumVal(status, BroTypePtr::Enum::rpc_status));
+		vl->append(new EnumVal(status, BifTypePtr::Enum::rpc_status));
 		if ( request )
 			vl->append(request);
 		}
--- a/src/RPC.cc
+++ b/src/RPC.cc
@ -137,14 +137,14 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 		if ( ! buf )
 			return 0;
-		uint32 status = BroEnum::RPC_UNKNOWN_ERROR;
+		uint32 status = BifEnum::RPC_UNKNOWN_ERROR;
 		if ( reply_stat == RPC_MSG_ACCEPTED )
 			{
 			(void) skip_XDR_opaque_auth(buf, n);
 			uint32 accept_stat = extract_XDR_uint32(buf, n);
-			// The first members of BroEnum::RPC_* correspond
+			// The first members of BifEnum::RPC_* correspond
 			// to accept_stat.
 			if ( accept_stat <= RPC_SYSTEM_ERR )
 				status = accept_stat;
@ -171,7 +171,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 			if ( reject_stat == RPC_MISMATCH )
 				{
 				// Note that RPC_MISMATCH == 0 == RPC_SUCCESS.
-				status = BroEnum::RPC_VERS_MISMATCH;
+				status = BifEnum::RPC_VERS_MISMATCH;
 				(void) extract_XDR_uint32(buf, n);
 				(void) extract_XDR_uint32(buf, n);
@ -182,7 +182,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 			else if ( reject_stat == RPC_AUTH_ERROR )
 				{
-				status = BroEnum::RPC_AUTH_ERROR;
+				status = BifEnum::RPC_AUTH_ERROR;
 				(void) extract_XDR_uint32(buf, n);
 				if ( ! buf )
@ -191,7 +191,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 			else
 				{
-				status = BroEnum::RPC_UNKNOWN_ERROR;
+				status = BifEnum::RPC_UNKNOWN_ERROR;
 				Weird("bad_RPC");
 				}
 			}
@ -264,7 +264,7 @@ void RPC_Interpreter::Timeout()
 	while ( (c = calls.NextEntry(cookie)) )
 		{
-		RPC_Event(c, BroEnum::RPC_TIMEOUT, 0);
+		RPC_Event(c, BifEnum::RPC_TIMEOUT, 0);
 		if ( c->IsValidCall() )
 			{
 			const u_char* buf;
@ -276,7 +276,7 @@ void RPC_Interpreter::Timeout()
 			else
 				{
 				Event(event, c->TakeRequestVal(),
-					BroEnum::RPC_TIMEOUT, reply);
+					BifEnum::RPC_TIMEOUT, reply);
 				}
 			}
 		}
--- a/src/SMB.h
+++ b/src/SMB.h
@ -206,7 +206,7 @@ public:
 			DCE_RPC_Session::any_dce_rpc_event();
 		}
-	int RewritingTrace()	{ return rewriting_smb_trace; }
+	int RewritingTrace()	{ return BifConst::rewriting_smb_trace; }
 protected:
 	SMB_Session* smb_session;
--- a/src/SMTP.h
+++ b/src/SMTP.h
@ -47,7 +47,7 @@ public:
 	virtual void ConnectionFinished(int half_finished);
 	virtual void Undelivered(int seq, int len, bool orig);
 	virtual int RewritingTrace()
-		{ return rewriting_smtp_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
+		{ return BifConst::rewriting_smtp_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
 	void SkipData()	{ skip_data = 1; }	// skip delivery of data lines
--- a/src/Scope.cc
+++ b/src/Scope.cc
@ -11,42 +11,6 @@
 static scope_list scopes;
 static Scope* top_scope;
 // Returns it without trailing "::".
 string extract_module_name(const char* name)
 	{
 	string module_name = name;
 	string::size_type pos = module_name.rfind("::");
 	if ( pos == string::npos )
 		return string(GLOBAL_MODULE_NAME);
 	module_name.erase(pos);
 	return module_name;
 	}
 string normalized_module_name(const char* module_name)
 	{
 	int mod_len;
 	if ( (mod_len = strlen(module_name)) >= 2 &&
 	     ! strcmp(module_name + mod_len - 2, "::") )
 		mod_len -= 2;
 	return string(module_name, mod_len);
 	}
 string make_full_var_name(const char* module_name, const char* var_name)
 	{
 	if ( ! module_name || streq(module_name, GLOBAL_MODULE_NAME) ||
 	     strstr(var_name, "::") )
 		return string(var_name);
 	string full_name = normalized_module_name(module_name);
 	full_name += "::";
 	full_name += var_name;
 	return full_name;
 	}
 Scope::Scope(ID* id)
 	{
--- a/src/Scope.h
+++ b/src/Scope.h
@ -1,5 +1,6 @@
 // $Id: Scope.h 6219 2008-10-01 05:39:07Z vern $
 //
 //
 // See the file "COPYING" in the main distribution directory for copyright.
 #ifndef scope_h
@ -11,6 +12,7 @@
 #include "Obj.h"
 #include "BroList.h"
 #include "TraverseTypes.h"
 #include "module_util.h"
 class ID;
 class BroType;
@ -59,14 +61,6 @@ protected:
 	id_list* inits;
 };
 static const char* GLOBAL_MODULE_NAME = "GLOBAL";
 extern string extract_module_name(const char* name);
 extern string normalized_module_name(const char* module_name); // w/o ::
 // Concatenates module_name::var_name unless var_name is already fully
 // qualified, in which case it is returned unmodified.
 extern string make_full_var_name(const char* module_name, const char* var_name);
 extern bool in_debug;
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -201,7 +201,7 @@ void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 		//
 		// Should we discourage the use of encap_hdr_size for UDP
 		// tunnneling?  It is probably better handled by enabling
-		// parse_udp_tunnels instead of specifying a fixed
+		// BifConst::parse_udp_tunnels instead of specifying a fixed
 		// encap_hdr_size.
 		if ( udp_tunnel_port > 0 )
 			{
@ -228,7 +228,7 @@ void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 	// Check IP packets encapsulated through UDP tunnels.
 	// Specifying a udp_tunnel_port is optional but recommended (to avoid
 	// the cost of checking every UDP packet).
-	else if ( parse_udp_tunnels && ip_data && ip_hdr->ip_p == IPPROTO_UDP )
+	else if ( BifConst::parse_udp_tunnels && ip_data && ip_hdr->ip_p == IPPROTO_UDP )
 		{
 		const struct udphdr* udp_hdr =
 			reinterpret_cast<const struct udphdr*>(ip_data);
@ -663,9 +663,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	// Override content record setting according to
 	// flags set by the policy script.
-	if ( dump_original_packets_if_not_rewriting )
+	if ( BifConst::dump_original_packets_if_not_rewriting )
 		record_packet = record_content = 1;
-	if ( dump_selected_source_packets )
+	if ( BifConst::dump_selected_source_packets )
 		record_packet = record_content = 0;
 	if ( f )
--- a/src/TCP.cc
+++ b/src/TCP.cc
@ -56,7 +56,7 @@ TCP_Analyzer::TCP_Analyzer(Connection* conn)
 	orig->SetPeer(resp);
 	resp->SetPeer(orig);
-	if ( dump_selected_source_packets )
+	if ( BifConst::dump_selected_source_packets )
 		{
 		if ( source_pkt_dump )
 			src_pkt_writer =
@ -87,7 +87,7 @@ void TCP_Analyzer::Init()
 	if ( transformed_pkt_dump && Conn()->RewritingTrace() )
 		SetTraceRewriter(new TCP_Rewriter(this, transformed_pkt_dump,
 						transformed_pkt_dump_MTU,
-						requires_trace_commitment));
+						BifConst::requires_trace_commitment));
 	}
 void TCP_Analyzer::Done()
@ -2090,7 +2090,7 @@ int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
 	int seq_delta = top_seq - max_top_seq;
 	if ( seq_delta <= 0 )
 		{
-		if ( ! ignore_keep_alive_rexmit || len > 1 || data_in_flight > 0 )
+		if ( ! BifConst::ignore_keep_alive_rexmit || len > 1 || data_in_flight > 0 )
 			{
 			++num_rxmit;
 			num_rxmit_bytes += len;
--- a/src/TCP_Rewriter.cc
+++ b/src/TCP_Rewriter.cc
@ -288,7 +288,7 @@ int TCP_TracePacket::Finish(struct pcap_pkthdr*& hdr,
 	// tp->th_urp = 0;		// clear urgent pointer
 	// Fix IP addresses before computing the TCP checksum
-	if ( anonymize_ip_addr )
+	if ( BifConst::anonymize_ip_addr )
 		{
 		ip->ip_src.s_addr = anon_src;
 		ip->ip_dst.s_addr = anon_dst;
@ -726,7 +726,7 @@ void TCP_RewriterEndpoint::PushPacket()
 #endif
 	if ( ! IsPlaceHolderPacket(next_packet) ||
-	     ! omit_rewrite_place_holder )
+	     ! BifConst::omit_rewrite_place_holder )
 		{
 		if ( next_packet->PredictedAsEmptyPlaceHolder() )
 			{
@ -798,7 +798,7 @@ TCP_Rewriter::TCP_Rewriter(TCP_Analyzer* arg_analyzer, PacketDumper* arg_dumper,
 	anon_addr[0] = anon_addr[1] = 0;
-	if ( anonymize_ip_addr )
+	if ( BifConst::anonymize_ip_addr )
 		{
 		anon_addr[0] = anonymize_ip(to_v4_addr(analyzer->Conn()->OrigAddr()),
 						ORIG_ADDR);
@ -909,7 +909,7 @@ void TCP_Rewriter::NextPacket(int is_orig, double t,
 	// Before setting current_packet to p, first clean up empty
 	// place holders to save memory space.
-	if ( omit_rewrite_place_holder && holding_packets )
+	if ( BifConst::omit_rewrite_place_holder && holding_packets )
 		CleanUpEmptyPlaceHolders();
 	current_packet = p;
@ -1562,7 +1562,7 @@ TCP_SourcePacketWriter* get_src_pkt_writer(TCP_Analyzer* analyzer)
 		{
 		if ( ! pkt_dumper )
 			return 0;	// don't complain if no output file
-		else if ( ! dump_selected_source_packets )
+		else if ( ! BifConst::dump_selected_source_packets )
 			builtin_run_time("flag dump_source_packets is not set");
 		else
 			internal_error("source packet writer not initialized");
@ -1571,5 +1571,5 @@ TCP_SourcePacketWriter* get_src_pkt_writer(TCP_Analyzer* analyzer)
 	return writer;
 	}
-
+#include "common-rw.bif.func_h"
 #include "common-rw.bif.func_def"
--- a/src/UDP_Rewriter.cc
+++ b/src/UDP_Rewriter.cc
@ -26,7 +26,7 @@ UDP_Rewriter::UDP_Rewriter(Analyzer* arg_analyzer, int arg_MTU,
 	packets_rewritten = 0;
 	current_packet = next_packet = 0;
-	if ( anonymize_ip_addr )
+	if ( BifConst::anonymize_ip_addr )
 		{
 		anon_addr[0] = anonymize_ip(to_v4_addr(analyzer->Conn()->OrigAddr()),
 						ORIG_ADDR);
@ -73,7 +73,7 @@ int UDP_TracePacket::BuildPacket(struct pcap_pkthdr*& hdr,
 	uint32 sum = 0;
 	// Fix IP addresses before computing the UDP checksum
-	if ( anonymize_ip_addr )
+	if ( BifConst::anonymize_ip_addr )
 		{
 		ip->ip_src.s_addr = anon_src;
 		ip->ip_dst.s_addr = anon_dst;
--- a/src/bittorrent-analyzer.pac
+++ b/src/bittorrent-analyzer.pac
@ -64,7 +64,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		handshake_ok = true;
 		if ( ::bittorrent_peer_handshake )
 			{
-			bro_event_bittorrent_peer_handshake(
+			BifEvent::generate_bittorrent_peer_handshake(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@ -82,7 +82,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_keep_alive )
 			{
-			bro_event_bittorrent_peer_keep_alive(
+			BifEvent::generate_bittorrent_peer_keep_alive(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@ -95,7 +95,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_choke )
 			{
-			bro_event_bittorrent_peer_choke(
+			BifEvent::generate_bittorrent_peer_choke(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@ -108,7 +108,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_unchoke )
 			{
-			bro_event_bittorrent_peer_unchoke(
+			BifEvent::generate_bittorrent_peer_unchoke(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@ -121,7 +121,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_interested )
 			{
-			bro_event_bittorrent_peer_interested(
+			BifEvent::generate_bittorrent_peer_interested(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@ -134,7 +134,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_not_interested )
 			{
-			bro_event_bittorrent_peer_not_interested(
+			BifEvent::generate_bittorrent_peer_not_interested(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@ -147,7 +147,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_have )
 			{
-			bro_event_bittorrent_peer_have(
+			BifEvent::generate_bittorrent_peer_have(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@ -161,7 +161,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_bitfield )
 			{
-			bro_event_bittorrent_peer_bitfield(
+			BifEvent::generate_bittorrent_peer_bitfield(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@ -176,7 +176,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_request )
 			{
-			bro_event_bittorrent_peer_request(
+			BifEvent::generate_bittorrent_peer_request(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@ -191,7 +191,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_piece )
 			{
-			bro_event_bittorrent_peer_piece(
+			BifEvent::generate_bittorrent_peer_piece(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@ -206,7 +206,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_cancel )
 			{
-			bro_event_bittorrent_peer_cancel(
+			BifEvent::generate_bittorrent_peer_cancel(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@ -220,7 +220,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_port )
 			{
-			bro_event_bittorrent_peer_port(
+			BifEvent::generate_bittorrent_peer_port(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@ -234,7 +234,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_unknown )
 			{
-			bro_event_bittorrent_peer_unknown(
+			BifEvent::generate_bittorrent_peer_unknown(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
--- a/src/builtin-func.l
+++ b/src/builtin-func.l
@ -28,7 +28,11 @@ int check_c_mode(int t)
 %}
 WS	[ \t]+
-ID	[A-Za-z_][A-Za-z_0-9]*
+ /* Note, bifcl only accepts a single :: in IDs while the policy
    layer acceptes multiple. (But the policy layer doesn't have 
 	a hierachy */
 IDCOMPONENT [A-Za-z_][A-Za-z_0-9]*
 ID	{IDCOMPONENT}(::{IDCOMPONENT})?
 ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 D   [[:digit:]]+
 HEX	[0-9a-fA-F]+
@ -69,6 +73,7 @@ HEX	[0-9a-fA-F]+
 "enum"		return check_c_mode(TOK_ENUM);
 "type"		return check_c_mode(TOK_TYPE);
 "record"	return check_c_mode(TOK_RECORD);
 "module"    return check_c_mode(TOK_MODULE);
 "@ARG@"		return TOK_ARG;
 "@ARGS@"	return TOK_ARGS;
--- a/src/builtin-func.y
+++ b/src/builtin-func.y
@ -9,6 +9,10 @@ using namespace std;
 #include <stdio.h>
 #include <stdlib.h>
 #include "module_util.h"
 using namespace std;
 extern int line_number;
 extern char* input_filename;
@ -23,39 +27,128 @@ extern FILE* fp_netvar_def;
 extern FILE* fp_netvar_init;
 int in_c_code = 0;
 string current_module = GLOBAL_MODULE_NAME;
 int definition_type;
-const char* bro_prefix;
+
 const char* c_prefix;
 enum {
 	C_SEGMENT_DEF,
 	FUNC_DEF,
 	REWRITER_DEF,
 	EVENT_DEF,
 	ENUM_DEF,
 	CONST_DEF,
 	RECORD_DEF,
 };
 // Holds the name of a declared object (function, enum, record type, event, 
 // etc. and information about namespaces, etc.
 struct decl_struct {
 	string module_name;
 	string bare_name; // name without module or namespace
 	string c_namespace_start; // "opening" namespace for use in netvar_*
 	string c_namespace_end;   // closing "}" for all the above namespaces
 	string c_fullname; // fully qualified name (namespace::....) for use in netvar_init
 	string bro_fullname; // fully qualified bro name, for netvar (and lookup_ID())
 	string bro_name;  // the name as we read it from input. What we write into the .bro file
 	// special cases for events. Events have an EventHandlerPtr
 	// and a generate_* function. This name is for the generate_* function
 	string generate_bare_name;
 	string generate_c_fullname;
 	string generate_c_namespace_start;
 	string generate_c_namespace_end;
 } decl;
 void set_definition_type(int type)
 	{
 	definition_type = type;
-	switch ( type ) {
+	}
-	case FUNC_DEF:
+
-		bro_prefix = "";
+void set_decl_name(const char *name)
-		c_prefix = "bro_";
+	{
 	decl.module_name = extract_module_name(name);
 	decl.bare_name = extract_var_name(name);
 	decl.c_namespace_start = "";
 	decl.c_namespace_end = "";
 	decl.c_fullname = "";
 	decl.bro_fullname = "";
 	decl.bro_name = "";
 	decl.generate_c_fullname = "";
 	decl.generate_bare_name = string("generate_") + decl.bare_name;
 	decl.generate_c_namespace_start = "";
 	decl.generate_c_namespace_end = "";
 	switch ( definition_type ) {
 	case ENUM_DEF:
 		decl.c_namespace_start = "namespace BifTypePtr { namespace Enum { ";
 		decl.c_namespace_end = " } }";
 		decl.c_fullname = "BifTypePtr::Enum::";
 		break;
 	case RECORD_DEF:
 		decl.c_namespace_start = "namespace BifTypePtr { namespace Record { ";
 		decl.c_namespace_end = " } }";
 		decl.c_fullname = "BifTypePtr::Record::";
 		break;
 	case CONST_DEF:
 		decl.c_namespace_start = "namespace BifConst { ";
 		decl.c_namespace_end = " } ";
 		decl.c_fullname = "BifConst::";
 		break;
 	case REWRITER_DEF:
-		bro_prefix = "rewrite_";
+		// XXX: Legacy. No module names / namespaces supported
-		c_prefix = "bro_rewrite_";
+		// If support for namespaces is desired: add a namespace 
 		// to c_namespace_* and bro_fullname and get rid of 
 		// the hack to bro_name.
 		decl.c_namespace_start = "";
 		decl.c_namespace_end = "";
 		decl.bare_name = "rewrite_" + decl.bare_name;
 		decl.bro_name = "rewrite_";
 		break;
 	case FUNC_DEF:
 		decl.c_namespace_start = "namespace BifFunc { ";
 		decl.c_namespace_end = " } ";
 		decl.c_fullname = "BifFunc::";
 		break;
 	case EVENT_DEF:
-		bro_prefix = "";
+		decl.c_namespace_start = "";
-		c_prefix = "bro_event_";
+		decl.c_namespace_end = "";
 		decl.c_fullname = "";
 		decl.generate_c_namespace_start = "namespace BifEvent { ";
 		decl.generate_c_namespace_end = " } ";
 		decl.generate_c_fullname = "BifEvent::";
 		break;
-	case C_SEGMENT_DEF:
+	default:
 		break;
 	}
 	if (decl.module_name != GLOBAL_MODULE_NAME)
 		{
 		decl.c_namespace_start += "namespace " + decl.module_name + " { "; 
 		decl.c_namespace_end += string(" }");
 		decl.c_fullname += decl.module_name + "::";
 		decl.bro_fullname += decl.module_name + "::";
 		decl.generate_c_namespace_start  += "namespace " + decl.module_name + " { ";
 		decl.generate_c_namespace_end += " } ";
 		decl.generate_c_fullname += decl.module_name + "::";
 		}
 	decl.bro_fullname += decl.bare_name;
 	if (definition_type == FUNC_DEF)
 		decl.bare_name = string("bro_") + decl.bare_name;
 	decl.c_fullname += decl.bare_name;
 	decl.bro_name += name;
 	decl.generate_c_fullname += decl.generate_bare_name;
 	}
 const char* arg_list_name = "BiF_ARGS";
@ -63,7 +156,6 @@ const char* trace_rewriter_name = "trace_rewriter";
 #include "bif_arg.h"
 extern const char* decl_name;
 int var_arg; // whether the number of arguments is variable
 std::vector<BuiltinFuncArg*> args;
@ -87,9 +179,15 @@ char* concat(const char* str1, const char* str2)
 	}
 // Print the bro_event_* function prototype in C++, without the ending ';'
-void print_event_c_prototype(FILE *fp)
+void print_event_c_prototype(FILE *fp, bool is_header)
 	{
-	fprintf(fp, "void %s%s(Analyzer* analyzer%s", c_prefix, decl_name,
+	if (is_header)
 		fprintf(fp, "%s void %s(Analyzer* analyzer%s", 
 			decl.generate_c_namespace_start.c_str(), decl.generate_bare_name.c_str(),
 			args.size() ? ", " : "" );
 	else
 		fprintf(fp, "void %s(Analyzer* analyzer%s", 
 			decl.generate_c_fullname.c_str(), 
 			args.size() ? ", " : "" );
 	for ( int i = 0; i < (int) args.size(); ++i )
 		{
@ -98,6 +196,10 @@ void print_event_c_prototype(FILE *fp)
 		args[i]->PrintCArg(fp, i);
 		}
 	fprintf(fp, ")");
 	if (is_header)
 		fprintf(fp, "; %s\n", decl.generate_c_namespace_end.c_str());
 	else 
 		fprintf(fp, "\n");
 	}
 // Print the bro_event_* function body in C++.
@ -106,9 +208,9 @@ void print_event_c_body(FILE *fp)
 	fprintf(fp, "\t{\n");
 	fprintf(fp, "\t// Note that it is intentional that here we do not\n");
 	fprintf(fp, "\t// check if %s is NULL, which should happen *before*\n",
-		decl_name);
+		decl.c_fullname.c_str());
-	fprintf(fp, "\t// bro_event_%s is called to avoid unnecessary Val\n",
+	fprintf(fp, "\t// %s is called to avoid unnecessary Val\n",
-		decl_name);
+		decl.generate_c_fullname.c_str());
 	fprintf(fp, "\t// allocation.\n");
 	fprintf(fp, "\n");
@ -138,7 +240,7 @@ void print_event_c_body(FILE *fp)
 	fprintf(fp, "\n");
 	fprintf(fp, "\tmgr.QueueEvent(%s, vl, SOURCE_LOCAL, analyzer->GetID(), timer_mgr",
-		decl_name);
+		decl.c_fullname.c_str());
 	if ( connection_arg )
 		// Pass the connection to the EventMgr as the "cookie"
@ -146,13 +248,14 @@ void print_event_c_body(FILE *fp)
 	fprintf(fp, ");\n");
 	fprintf(fp, "\t} // event generation\n");
 	//fprintf(fp, "%s // end namespace\n", decl.generate_c_namespace_end.c_str());
 	}
 %}
 %token TOK_LPP TOK_RPP TOK_LPB TOK_RPB TOK_LPPB TOK_RPPB TOK_VAR_ARG
 %token TOK_BOOL
 %token TOK_FUNCTION TOK_REWRITER TOK_EVENT TOK_CONST TOK_ENUM 
-%token TOK_TYPE TOK_RECORD
+%token TOK_TYPE TOK_RECORD TOK_MODULE
 %token TOK_WRITE TOK_PUSH TOK_EOF TOK_TRACE
 %token TOK_ARGS TOK_ARG TOK_ARGC
 %token TOK_ID TOK_ATTR TOK_CSTR TOK_LF TOK_WS TOK_COMMENT
@ -170,6 +273,14 @@ void print_event_c_body(FILE *fp)
 %%
 builtin_lang:	definitions
 			{
 			fprintf(fp_bro_init, "} # end of export section\n");
 			fprintf(fp_bro_init, "module %s;\n", GLOBAL_MODULE_NAME);
 			}
 definitions:	definitions definition opt_ws 
 			{ fprintf(fp_func_def, "%s", $3); }
 	|	opt_ws
@ -189,6 +300,7 @@ definitions:	definitions definition opt_ws
 			fprintf(fp_netvar_h, "// %s\n\n", auto_gen_comment);
 			fprintf(fp_netvar_init, "// %s\n\n", auto_gen_comment);
 			fprintf(fp_bro_init, "export {\n");
 			fprintf(fp_func_def, "%s", $1);
 			}
 	;
@ -200,9 +312,16 @@ definition:	event_def
 	|	enum_def
 	|	const_def
 	|	type_def
 	|   module_def
 	;
 module_def:	TOK_MODULE opt_ws TOK_ID opt_ws ';'
 			{
 			current_module = $2;
 			fprintf(fp_bro_init, "module %s;\n", $2);
 			}
 	 // XXX: Add the netvar glue so that the event engine knows about
 	 // the type. One still has to define the type in bro.init. 
 	 // Would be nice, if we could just define the record type here
@ -213,25 +332,25 @@ definition:	event_def
 	 // TODO: add other types (tables, sets)
 type_def:	TOK_TYPE opt_ws TOK_ID opt_ws ':' opt_ws TOK_RECORD opt_ws ';'
 			{
-			fprintf(fp_netvar_h,
+			set_definition_type(RECORD_DEF);
-				"namespace BroTypePtr { namespace Record { extern RecordType* %s; } }\n", $3);
+			set_decl_name($3);
-			fprintf(fp_netvar_def,
+
-				"namespace BroTypePtr { namespace Record { RecordType* %s; } }\n", $3);
+			fprintf(fp_netvar_h, "%s extern RecordType * %s; %s\n",
 				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 			fprintf(fp_netvar_def, "%s RecordType * %s; %s\n",
 				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 			fprintf(fp_netvar_init,
-				"\tBroTypePtr::Record::%s = internal_type(\"%s\")->AsRecordType();\n",
+				"\t%s = internal_type(\"%s\")->AsRecordType();\n",
-				$3, $3);
+				decl.c_fullname.c_str(), decl.bro_fullname.c_str());
 			}
 	;
 event_def:	event_prefix opt_ws plain_head opt_attr end_of_head ';'
 			{
-			print_event_c_prototype(fp_func_h);
+			print_event_c_prototype(fp_func_h, true);
-			fprintf(fp_func_h, ";\n");
+			print_event_c_prototype(fp_func_def, false);
 			print_event_c_prototype(fp_func_def);
 			fprintf(fp_func_def, "\n");
 			print_event_c_body(fp_func_def);
 			}
 	;
 func_def:	func_prefix opt_ws typed_head end_of_head body
 	;
@ -243,24 +362,34 @@ enum_def:	enum_def_1 enum_list TOK_RPB
 			{
 			// First, put an end to the enum type decl.
 			fprintf(fp_bro_init, "};\n");
-			fprintf(fp_netvar_h, "}; }\n");
+			if (decl.module_name != GLOBAL_MODULE_NAME)
 				fprintf(fp_netvar_h, "}; } }\n");
 			else
 				fprintf(fp_netvar_h, "}; }\n");
 			// Now generate the netvar's.
-			fprintf(fp_netvar_h,
+			fprintf(fp_netvar_h, "%s extern EnumType * %s; %s\n",
-				"namespace BroTypePtr { namespace Enum { extern EnumType* %s;\n } }", decl_name);
+				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_def,
+			fprintf(fp_netvar_def, "%s EnumType * %s; %s\n",
-				"namespace BroTypePtr { namespace Enum { EnumType* %s; } }\n", decl_name);
+				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 			fprintf(fp_netvar_init,
-				"\tBroTypePtr::Enum::%s = internal_type(\"%s\")->AsEnumType();\n",
+				"\t%s = internal_type(\"%s\")->AsEnumType();\n",
-				decl_name, decl_name);
+				decl.c_fullname.c_str(), decl.bro_fullname.c_str());
 			}
 	;
 enum_def_1:	TOK_ENUM opt_ws TOK_ID opt_ws TOK_LPB opt_ws
 			{
-			decl_name = $3;
+			set_definition_type(ENUM_DEF);
-			fprintf(fp_bro_init, "type %s: enum %s{%s", $3, $4, $6);
+			set_decl_name($3);
-			fprintf(fp_netvar_h, "namespace BroEnum { ");
+			fprintf(fp_bro_init, "type %s: enum %s{%s", decl.bro_name.c_str(), $4, $6);
 			// this is the namespace were the enumerators are defined, not where
 			// the type is defined.
 			// We don't support fully qualified names as enumerators. Use a module name
 			fprintf(fp_netvar_h, "namespace BifEnum { "); 
 			if (decl.module_name != GLOBAL_MODULE_NAME)
 				fprintf(fp_netvar_h, "namespace %s { ", decl.module_name.c_str());
 			fprintf(fp_netvar_h, "enum %s {\n", $3);
 			}
 	;
@ -281,18 +410,21 @@ enum_list:	enum_list TOK_ID opt_ws ',' opt_ws
 const_def:	const_def_1 const_init opt_attr ';'
 			{
 			fprintf(fp_bro_init, ";\n");
-			fprintf(fp_netvar_h, "extern int %s;\n", decl_name);
+			fprintf(fp_netvar_h, "%s extern int %s; %s\n", 
-			fprintf(fp_netvar_def, "int %s;\n", decl_name);
+					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 			fprintf(fp_netvar_def, "%s int %s; %s\n", 
 					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 			fprintf(fp_netvar_init, "\t%s = internal_val(\"%s\")->AsBool();\n",
-				decl_name, decl_name);
+				decl.c_fullname.c_str(), decl.bro_fullname.c_str());
 			}
 	;
 const_def_1:	TOK_CONST opt_ws TOK_ID opt_ws
 			{
-			decl_name = $3;
+			set_definition_type(CONST_DEF);
 			set_decl_name($3);
 			fprintf(fp_bro_init, "const%s", $2);
-			fprintf(fp_bro_init, "%s: bool%s", $3, $4);
+			fprintf(fp_bro_init, "%s: bool%s", decl.bro_name.c_str(), $4);
 			}
 	;
@ -364,7 +496,7 @@ plain_head:	head_1 args arg_end opt_ws
 head_1:		TOK_ID opt_ws arg_begin
 			{
 			const char* method_type = 0;
-			decl_name = $1;
+			set_decl_name($1);
 			if ( definition_type == FUNC_DEF || definition_type == REWRITER_DEF )
 				{
@ -376,40 +508,37 @@ head_1:		TOK_ID opt_ws arg_begin
 			if ( method_type )
 				fprintf(fp_bro_init,
-					"global %s%s: %s%s(",
+					"global %s: %s%s(",
-					bro_prefix, decl_name, method_type, $2);
+					decl.bro_name.c_str(), method_type, $2);
 			if ( definition_type == FUNC_DEF || definition_type == REWRITER_DEF )
 				{
 				fprintf(fp_func_init,
-					"\textern Val* %s%s(Frame* frame, val_list*);\n",
+					"\t(void) new BuiltinFunc(%s, \"%s\", 0);\n",
-					c_prefix, decl_name);
+					decl.c_fullname.c_str(), decl.bro_fullname.c_str());
 				fprintf(fp_func_init,
 					"\t(void) new BuiltinFunc(%s%s, \"%s%s\", 0);\n",
 					c_prefix, decl_name, bro_prefix, decl_name);
 				fprintf(fp_func_h,
-					"extern Val* %s%s(Frame* frame, val_list*);\n",
+					"%sextern Val* %s(Frame* frame, val_list*);\n %s",
-					c_prefix, decl_name);
+					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 				fprintf(fp_func_def,
-					"Val* %s%s(Frame* frame, val_list* %s)",
+					"Val* %s(Frame* frame, val_list* %s)",
-					c_prefix, decl_name, arg_list_name);
+					decl.c_fullname.c_str(), arg_list_name);
 				}
 			else if ( definition_type == EVENT_DEF )
 				{
 				// TODO: add namespace for events here
 				fprintf(fp_netvar_h,
-					"extern EventHandlerPtr %s;\n",
+					"%sextern EventHandlerPtr %s; %s\n",
-					decl_name);
+					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 				fprintf(fp_netvar_def,
-					"EventHandlerPtr %s;\n",
+					"%sEventHandlerPtr %s; %s\n",
-					decl_name);
+					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 				fprintf(fp_netvar_init,
 					"\t%s = internal_handler(\"%s\");\n",
-					decl_name, decl_name);
+					decl.c_fullname.c_str(), decl.bro_fullname.c_str());
 				// C++ prototypes of bro_event_* functions will
 				// be generated later.
@ -455,7 +584,7 @@ return_type:	':' opt_ws TOK_ID opt_ws
 body:		body_start c_body body_end
 			{
-			fprintf(fp_func_def, " // end of %s\n", decl_name);
+			fprintf(fp_func_def, " // end of %s\n", decl.c_fullname.c_str());
 			print_line_directive(fp_func_def);
 			}
 	;
@ -492,7 +621,7 @@ body_start:	TOK_LPB c_code_begin
 				fprintf(fp_func_def, "\t\t{\n");
 				fprintf(fp_func_def,
 					"\t\trun_time(\"%s() takes exactly %d argument(s)\");\n",
-					decl_name, argc);
+					decl.bro_fullname.c_str(), argc);
 				fprintf(fp_func_def, "\t\treturn 0;\n");
 				fprintf(fp_func_def, "\t\t}\n");
 				}
@ -502,7 +631,7 @@ body_start:	TOK_LPB c_code_begin
 				fprintf(fp_func_def, "\t\t{\n");
 				fprintf(fp_func_def,
 					"\t\trun_time(\"%s() takes at least %d argument(s)\");\n",
-					decl_name, argc);
+					decl.bro_fullname.c_str(), argc);
 				fprintf(fp_func_def, "\t\treturn 0;\n");
 				fprintf(fp_func_def, "\t\t}\n");
 				}
@ -586,7 +715,6 @@ opt_ws:		opt_ws TOK_WS
 extern char* yytext;
 extern char* input_filename;
 extern int line_number;
 const char* decl_name;
 void err_exit(void);
 void print_msg(const char msg[])
--- a/src/dce_rpc-analyzer.pac
+++ b/src/dce_rpc-analyzer.pac
@ -88,7 +88,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 					bind_elems.p_cont_elem[i].abstract_syntax.if_uuid};
 				// Queue the event
-				bro_event_dce_rpc_bind(
+				BifEvent::generate_dce_rpc_bind(
 					${connection.bro_analyzer},
 					${connection.bro_analyzer}->Conn(),
 					bytestring_to_val(${if_uuid}));
@ -106,7 +106,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 		%{
 		if ( dce_rpc_request )
 			{
-			bro_event_dce_rpc_request(
+			BifEvent::generate_dce_rpc_request(
 				${connection.bro_analyzer},
 				${connection.bro_analyzer}->Conn(),
 				${req.opnum},
@ -124,7 +124,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 		%{
 		if ( dce_rpc_response )
 			{
-			bro_event_dce_rpc_response(
+			BifEvent::generate_dce_rpc_response(
 				${connection.bro_analyzer},
 				${connection.bro_analyzer}->Conn(),
 				${connection}->get_cont_id_opnum_map(${resp.p_cont_id}),
--- a/src/dhcp-analyzer.pac
+++ b/src/dhcp-analyzer.pac
@ -91,31 +91,31 @@ flow DHCP_Flow(is_orig: bool) {
 		switch ( type )
 		{
 		case DHCPDISCOVER:
-			bro_event_dhcp_discover(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_discover(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref(), req_addr);
 			break;
 		case DHCPREQUEST:
-			bro_event_dhcp_request(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_request(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dhcp_msg_val_->Ref(), req_addr, serv_addr);
 			break;
 		case DHCPDECLINE:
-			bro_event_dhcp_decline(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_decline(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
 		case DHCPRELEASE:
-			bro_event_dhcp_release(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_release(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
 		case DHCPINFORM:
-			bro_event_dhcp_inform(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_inform(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
@ -204,21 +204,21 @@ flow DHCP_Flow(is_orig: bool) {
 		switch ( type ) {
 		case DHCPOFFER:
-			bro_event_dhcp_offer(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_offer(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref(), subnet_mask,
 					router_list, lease, serv_addr);
 			break;
 		case DHCPACK:
-			bro_event_dhcp_ack(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_ack(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref(), subnet_mask,
 					router_list, lease, serv_addr);
 			break;
 		case DHCPNAK:
-			bro_event_dhcp_nak(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_nak(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
--- a/src/dns-analyzer.pac
+++ b/src/dns-analyzer.pac
@ -124,7 +124,7 @@ flow DNS_Flow
 		if ( msg->header()->qr() == 0 )
 			{
-			bro_event_dns_request(
+			BifEvent::generate_dns_request(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dns_msg_val_->Ref(),
@ -137,7 +137,7 @@ flow DNS_Flow
 		          msg->header()->nscount() == 0 &&
 		          msg->header()->arcount() == 0 )
 			{
-			bro_event_dns_rejected(
+			BifEvent::generate_dns_rejected(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dns_msg_val_->Ref(),
@ -253,7 +253,7 @@ flow DNS_Flow
 			// above fixes for BROv6, we can probably now introduce
 			// their own events.  (It's not clear A6 is needed -
 			// do we actually encounter it in practice?)
-			bro_event_dns_A_reply(connection()->bro_analyzer(),
+			BifEvent::generate_dns_A_reply(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dns_msg_val_->Ref(), build_dns_answer(rr), addr);
 			break;
@ -261,7 +261,7 @@ flow DNS_Flow
 		case TYPE_NS:
 			if ( dns_NS_reply )
 				{
-				bro_event_dns_NS_reply(connection()->bro_analyzer(),
+				BifEvent::generate_dns_NS_reply(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
 					build_dns_answer(rr),
@ -272,7 +272,7 @@ flow DNS_Flow
 		case TYPE_CNAME:
 			if ( dns_CNAME_reply )
 				{
-				bro_event_dns_CNAME_reply(
+				BifEvent::generate_dns_CNAME_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@ -284,7 +284,7 @@ flow DNS_Flow
 		case TYPE_SOA:
 			if ( dns_SOA_reply )
 				{
-				bro_event_dns_SOA_reply(
+				BifEvent::generate_dns_SOA_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@ -296,7 +296,7 @@ flow DNS_Flow
 		case TYPE_PTR:
 			if ( dns_PTR_reply )
 				{
-				bro_event_dns_PTR_reply(
+				BifEvent::generate_dns_PTR_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@ -308,7 +308,7 @@ flow DNS_Flow
 		case TYPE_MX:
 			if ( dns_MX_reply )
 				{
-				bro_event_dns_MX_reply(
+				BifEvent::generate_dns_MX_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@ -321,7 +321,7 @@ flow DNS_Flow
 		case TYPE_EDNS:
 			if ( dns_EDNS_addl )
 				{
-				bro_event_dns_EDNS_addl(
+				BifEvent::generate_dns_EDNS_addl(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
--- a/src/http-analyzer.pac
+++ b/src/http-analyzer.pac
@ -84,7 +84,7 @@ flow HTTP_Flow(is_orig: bool) {
 		if ( ::http_request )
 			{
 			bytestring unescaped_uri = unescape_uri(uri);
-			bro_event_http_request(connection()->bro_analyzer(),
+			BifEvent::generate_http_request(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				bytestring_to_val(method),
 				bytestring_to_val(uri),
@ -103,7 +103,7 @@ flow HTTP_Flow(is_orig: bool) {
 		%{
 		if ( ::http_reply )
 			{
-			bro_event_http_reply(connection()->bro_analyzer(),
+			BifEvent::generate_http_reply(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				bytestring_to_val(${vers.vers_str}), code,
 				bytestring_to_val(reason));
@ -205,7 +205,7 @@ flow HTTP_Flow(is_orig: bool) {
 		if ( ::http_header )
 			{
-			bro_event_http_header(connection()->bro_analyzer(),
+			BifEvent::generate_http_header(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
 				bytestring_to_val(name)->ToUpper(),
@ -236,7 +236,7 @@ flow HTTP_Flow(is_orig: bool) {
 		%{
 		if ( ::http_all_headers )
 			{
-			bro_event_http_all_headers(connection()->bro_analyzer(),
+			BifEvent::generate_http_all_headers(connection()->bro_analyzer(),
 						connection()->bro_analyzer()->Conn(),
 						is_orig(),
 						build_http_headers_val());
@ -263,7 +263,7 @@ flow HTTP_Flow(is_orig: bool) {
 		msg_start_time_ = network_time();
 		if ( ::http_begin_entity )
 			{
-			bro_event_http_begin_entity(connection()->bro_analyzer(),
+			BifEvent::generate_http_begin_entity(connection()->bro_analyzer(),
 							connection()->bro_analyzer()->Conn(), is_orig());
 			}
 		%}
@ -295,13 +295,13 @@ flow HTTP_Flow(is_orig: bool) {
 		if ( ::http_end_entity )
 			{
-			bro_event_http_end_entity(connection()->bro_analyzer(),
+			BifEvent::generate_http_end_entity(connection()->bro_analyzer(),
 							connection()->bro_analyzer()->Conn(), is_orig());
 			}
 		if ( ::http_message_done )
 			{
-			bro_event_http_message_done(connection()->bro_analyzer(),
+			BifEvent::generate_http_message_done(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					is_orig(), build_http_message_stat());
 			}
--- a/src/portmap-analyzer.pac
+++ b/src/portmap-analyzer.pac
@ -100,23 +100,23 @@ refine connection RPC_Conn += {
 		switch ( call->proc() ) {
 		case PMAPPROC_NULL:
-			bro_event_pm_request_null(bro_analyzer(), bro_analyzer()->Conn());
+			BifEvent::generate_pm_request_null(bro_analyzer(), bro_analyzer()->Conn());
 			break;
 		case PMAPPROC_SET:
-			bro_event_pm_request_set(bro_analyzer(),
+			BifEvent::generate_pm_request_set(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				call->call_val(), results->set());
 			break;
 		case PMAPPROC_UNSET:
-			bro_event_pm_request_unset(bro_analyzer(),
+			BifEvent::generate_pm_request_unset(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				call->call_val(), results->unset());
 			break;
 		case PMAPPROC_GETPORT:
-			bro_event_pm_request_getport(bro_analyzer(),
+			BifEvent::generate_pm_request_getport(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				call->call_val(),
 				PortmapBuildPortVal(results->getport(),
@ -124,13 +124,13 @@ refine connection RPC_Conn += {
 			break;
 		case PMAPPROC_DUMP:
-			bro_event_pm_request_dump(bro_analyzer(),
+			BifEvent::generate_pm_request_dump(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				PortmapBuildDumpVal(results->dump()));
 			break;
 		case PMAPPROC_CALLIT:
-			bro_event_pm_request_callit(bro_analyzer(),
+			BifEvent::generate_pm_request_callit(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				call->call_val(),
 				new PortVal(results->callit()->port(),
@ -149,37 +149,37 @@ function PortmapCallFailed(connection: RPC_Conn,
 			call: RPC_Call,
 			status: EnumRPCStatus): bool
 	%{
-	// BroEnum::rpc_status st = static_cast<BroEnum::rpc_status>(status);
+	// BifEnum::rpc_status st = static_cast<BifEnum::rpc_status>(status);
-	Val *st = new EnumVal(status, BroTypePtr::Enum::rpc_status);
+	Val *st = new EnumVal(status, BifTypePtr::Enum::rpc_status);
 	switch ( call->proc() ) {
 	case PMAPPROC_NULL:
-		bro_event_pm_attempt_null(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_null(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st);
 		break;
 	case PMAPPROC_SET:
-		bro_event_pm_attempt_set(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_set(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st, call->call_val());
 		break;
 	case PMAPPROC_UNSET:
-		bro_event_pm_attempt_unset(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_unset(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st, call->call_val());
 		break;
 	case PMAPPROC_GETPORT:
-		bro_event_pm_attempt_getport(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_getport(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st, call->call_val());
 		break;
 	case PMAPPROC_DUMP:
-		bro_event_pm_attempt_dump(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_dump(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st);
 		break;
 	case PMAPPROC_CALLIT:
-		bro_event_pm_attempt_callit(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_callit(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st, call->call_val());
 		break;
--- a/src/rpc-analyzer.pac
+++ b/src/rpc-analyzer.pac
@ -157,7 +157,7 @@ flow RPC_Flow (is_orig: bool) {
 			return false;
 			}
-		bro_event_rpc_call(connection()->bro_analyzer(),
+		BifEvent::generate_rpc_call(connection()->bro_analyzer(),
 		                   connection()->bro_analyzer()->Conn(),
 		                   call->prog(),
 		                   call->vers(),
--- a/src/ssl-analyzer.pac
+++ b/src/ssl-analyzer.pac
@ -165,7 +165,7 @@ refine analyzer SSLAnalyzer += {
 		%{
 		StringVal* err_str =
 			new StringVal(X509_verify_cert_error_string(err_num));
-		bro_event_ssl_X509_error(bro_analyzer_, bro_analyzer_->Conn(),
+		BifEvent::generate_ssl_X509_error(bro_analyzer_, bro_analyzer_->Conn(),
 						err_num, err_str);
 		%}
@ -189,7 +189,7 @@ refine analyzer SSLAnalyzer += {
 	function proc_alert(level : int, description : int) : bool
 		%{
-		bro_event_ssl_conn_alert(bro_analyzer_, bro_analyzer_->Conn(),
+		BifEvent::generate_ssl_conn_alert(bro_analyzer_, bro_analyzer_->Conn(),
 						current_record_version_, level,
 						description);
 		return true;
@ -217,7 +217,7 @@ refine analyzer SSLAnalyzer += {
 			Unref(ciph);
 			}
-		bro_event_ssl_conn_attempt(bro_analyzer_, bro_analyzer_->Conn(),
+		BifEvent::generate_ssl_conn_attempt(bro_analyzer_, bro_analyzer_->Conn(),
 						version, cipher_table);
 		if ( ssl_compare_cipherspecs )
@ -252,7 +252,7 @@ refine analyzer SSLAnalyzer += {
 			Unref(ciph);
 			}
-		bro_event_ssl_conn_server_reply(bro_analyzer_,
+		BifEvent::generate_ssl_conn_server_reply(bro_analyzer_,
 						bro_analyzer_->Conn(),
 						version_, chosen_ciphers);
@ -263,10 +263,10 @@ refine analyzer SSLAnalyzer += {
 			TableVal* tv = to_table_val(session_id);
 			if ( client_session_id_ &&
 			     *client_session_id_ == *session_id )
-				bro_event_ssl_conn_reused(bro_analyzer_,
+				BifEvent::generate_ssl_conn_reused(bro_analyzer_,
 						bro_analyzer_->Conn(), tv);
 			else
-				bro_event_ssl_session_insertion(bro_analyzer_,
+				BifEvent::generate_ssl_session_insertion(bro_analyzer_,
 						bro_analyzer_->Conn(), tv);
 			delete ciphers;
@ -277,13 +277,13 @@ refine analyzer SSLAnalyzer += {
 			if ( client_session_id_ )
 				{
 				TableVal* tv = to_table_val(client_session_id_);
-				bro_event_ssl_conn_reused(bro_analyzer_,
+				BifEvent::generate_ssl_conn_reused(bro_analyzer_,
 						bro_analyzer_->Conn(), tv);
 				}
 			// We don't know the chosen cipher, as there is
 			// no session storage.
-			bro_event_ssl_conn_established(bro_analyzer_,
+			BifEvent::generate_ssl_conn_established(bro_analyzer_,
 							bro_analyzer_->Conn(),
 							version_, 0xffffffff);
 			delete ciphers;
@ -316,7 +316,7 @@ refine analyzer SSLAnalyzer += {
 		if ( certificates->size() == 0 )
 			return true;
-		bro_event_ssl_certificate_seen(bro_analyzer_,
+		BifEvent::generate_ssl_certificate_seen(bro_analyzer_,
 						bro_analyzer_->Conn(),
 						! current_record_is_orig_);
@ -341,7 +341,7 @@ refine analyzer SSLAnalyzer += {
 		pX509Cert->Assign(1, new StringVal(tmp));
 		pX509Cert->Assign(2, new AddrVal(bro_analyzer_->Conn()->OrigAddr()));
-		bro_event_ssl_certificate(bro_analyzer_, bro_analyzer_->Conn(),
+		BifEvent::generate_ssl_certificate(bro_analyzer_, bro_analyzer_->Conn(),
 					pX509Cert, current_record_is_orig_);
 		if ( X509_get_ext_count(pCert) > 0 )
@ -361,7 +361,7 @@ refine analyzer SSLAnalyzer += {
 				Unref(index);
 				}
-			bro_event_process_X509_extensions(bro_analyzer_,
+			BifEvent::generate_process_X509_extensions(bro_analyzer_,
 						bro_analyzer_->Conn(), x509ex);
 			}
@ -442,7 +442,7 @@ refine analyzer SSLAnalyzer += {
 				state_label(old_state_).c_str()));
 		check_cipher(cipher);
-		bro_event_ssl_conn_established(bro_analyzer_,
+		BifEvent::generate_ssl_conn_established(bro_analyzer_,
 				bro_analyzer_->Conn(), version_, cipher);
 		return true;
@ -483,7 +483,7 @@ refine analyzer SSLAnalyzer += {
 		if ( state_ == STATE_CONN_ESTABLISHED &&
 		     old_state_ == STATE_COMM_ENCRYPTED )
 			{
-			bro_event_ssl_conn_established(bro_analyzer_,
+			BifEvent::generate_ssl_conn_established(bro_analyzer_,
 							bro_analyzer_->Conn(),
 							version_, cipher_);
 			}