diff --git a/CHANGES b/CHANGES index 1b084c7f19..f7f564b290 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,36 @@ +2.3-404 | 2015-01-30 14:23:27 -0800 + + * Update documentation (broken links, outdated tests). (Jon Siwek) + + * Deprecate split* family of BIFs. (Jon Siwek) + + These functions are now deprecated in favor of alternative versions that + return a vector of strings rather than a table of strings. + + Deprecated functions: + + - split: use split_string instead. + - split1: use split_string1 instead. + - split_all: use split_string_all instead. + - split_n: use split_string_n instead. + - cat_string_array: see join_string_vec instead. + - cat_string_array_n: see join_string_vec instead. + - join_string_array: see join_string_vec instead. + - sort_string_array: use sort instead instead. + - find_ip_addresses: use extract_ip_addresses instead. + + Changed functions: + + - has_valid_octets: uses a string_vec parameter instead of string_array. + + Addresses BIT-924. + + * Add a new attribute: &deprecated. While scripts are parsed, a + warning is raised for each usage of an identifier marked as + &deprecated. This also works for BIFs. Addresses BIT-924, + BIT-757. (Jon Siwek) + 2.3-397 | 2015-01-27 10:13:10 -0600 * Handle guess_lexer exceptions in pygments reST directive (Jon Siwek) diff --git a/NEWS b/NEWS index 5e2ef52ca1..af59858e06 100644 --- a/NEWS +++ b/NEWS @@ -53,6 +53,38 @@ Changed Functionality record gives the how many bytes have been written so far (i.e. the "offset"). +- has_valid_octets: now uses a string_vec parameter instead of + string_array. + +Deprecated Functionality +------------------------ + +- The split* family of functions are to be replaced with alternate + versions that return a vector of strings rather than a table of + strings. This also allows deprecation for some related string + concatenation/extraction functions. Note that the new functions use + 0-based indexing, rather than 1-based. + + The full list of now deprecation functions is: + + * split: use split_string instead. + + * split1: use split_string1 instead. + + * split_all: use split_string_all instead. + + * split_n: use split_string_n instead. + + * cat_string_array: see join_string_vec instead. + + * cat_string_array_n: see join_string_vec instead. + + * join_string_array: see join_string_vec instead. + + * sort_string_array: use sort instead. + + * find_ip_addresses: use extract_ip_addresses instead. + Bro 2.3 ======= diff --git a/VERSION b/VERSION index 9a536ef2e7..a47da723dd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-397 +2.3-404 diff --git a/aux/binpac b/aux/binpac index 8d56b507b8..77a86591dc 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 8d56b507b8b804fa83f6637f3b1f198e696cd603 +Subproject commit 77a86591dcf89d7252d3676d3f1199d6c927d073 diff --git a/doc/script-reference/attributes.rst b/doc/script-reference/attributes.rst index 5680a034ff..ef6c6a54a1 100644 --- a/doc/script-reference/attributes.rst +++ b/doc/script-reference/attributes.rst @@ -49,6 +49,8 @@ The Bro scripting language supports the following attributes. +-----------------------------+-----------------------------------------------+ | :bro:attr:`&type_column` |Used by input framework for "port" type. | +-----------------------------+-----------------------------------------------+ +| :bro:attr:`&deprecated` |Marks an identifier as deprecated. | ++-----------------------------+-----------------------------------------------+ Here is a more detailed explanation of each attribute: @@ -230,3 +232,9 @@ Here is a more detailed explanation of each attribute: msg: string; }; +.. bro:attr:: &deprecated + + The associated identifier is marked as deprecated and will be + removed in a future version of Bro. Look in the NEWS file for more + explanation and/or instructions to migrate code that uses deprecated + functionality. diff --git a/scripts/base/files/unified2/main.bro b/scripts/base/files/unified2/main.bro index 627bcc9fee..73f98aa5f8 100644 --- a/scripts/base/files/unified2/main.bro +++ b/scripts/base/files/unified2/main.bro @@ -152,26 +152,26 @@ redef record fa_file += { event Unified2::read_sid_msg_line(desc: Input::EventDescription, tpe: Input::Event, line: string) { - local parts = split_n(line, / \|\| /, F, 100); - if ( |parts| >= 2 && /^[0-9]+$/ in parts[1] ) - sid_map[to_count(parts[1])] = parts[2]; + local parts = split_string_n(line, / \|\| /, F, 100); + if ( |parts| >= 2 && /^[0-9]+$/ in parts[0] ) + sid_map[to_count(parts[0])] = parts[1]; } event Unified2::read_gen_msg_line(desc: Input::EventDescription, tpe: Input::Event, line: string) { - local parts = split_n(line, / \|\| /, F, 3); - if ( |parts| >= 2 && /^[0-9]+$/ in parts[1] ) - gen_map[to_count(parts[1])] = parts[3]; + local parts = split_string_n(line, / \|\| /, F, 3); + if ( |parts| >= 2 && /^[0-9]+$/ in parts[0] ) + gen_map[to_count(parts[0])] = parts[2]; } event Unified2::read_classification_line(desc: Input::EventDescription, tpe: Input::Event, line: string) { - local parts = split_n(line, /: /, F, 2); + local parts = split_string_n(line, /: /, F, 2); if ( |parts| == 2 ) { - local parts2 = split_n(parts[2], /,/, F, 4); + local parts2 = split_string_n(parts[1], /,/, F, 4); if ( |parts2| > 1 ) - classification_map[|classification_map|+1] = parts2[1]; + classification_map[|classification_map|+1] = parts2[0]; } } @@ -249,9 +249,9 @@ event bro_init() &priority=5 event file_new(f: fa_file) { local file_dir = ""; - local parts = split_all(f$source, /\/[^\/]*$/); + local parts = split_string_all(f$source, /\/[^\/]*$/); if ( |parts| == 3 ) - file_dir = parts[1]; + file_dir = parts[0]; if ( (watch_file != "" && f$source == watch_file) || (watch_dir != "" && compress_path(watch_dir) == file_dir) ) diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index bf1affcb01..d4d5c0244e 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -405,30 +405,30 @@ function default_path_func(id: ID, path: string, rec: any) : string local id_str = fmt("%s", id); - local parts = split1(id_str, /::/); + local parts = split_string1(id_str, /::/); if ( |parts| == 2 ) { # Example: Notice::LOG -> "notice" - if ( parts[2] == "LOG" ) + if ( parts[1] == "LOG" ) { - local module_parts = split_n(parts[1], /[^A-Z][A-Z][a-z]*/, T, 4); + local module_parts = split_string_n(parts[0], /[^A-Z][A-Z][a-z]*/, T, 4); local output = ""; - if ( 1 in module_parts ) - output = module_parts[1]; + if ( 0 in module_parts ) + output = module_parts[0]; + if ( 1 in module_parts && module_parts[1] != "" ) + output = cat(output, sub_bytes(module_parts[1],1,1), "_", sub_bytes(module_parts[1], 2, |module_parts[1]|)); if ( 2 in module_parts && module_parts[2] != "" ) - output = cat(output, sub_bytes(module_parts[2],1,1), "_", sub_bytes(module_parts[2], 2, |module_parts[2]|)); + output = cat(output, "_", module_parts[2]); if ( 3 in module_parts && module_parts[3] != "" ) - output = cat(output, "_", module_parts[3]); - if ( 4 in module_parts && module_parts[4] != "" ) - output = cat(output, sub_bytes(module_parts[4],1,1), "_", sub_bytes(module_parts[4], 2, |module_parts[4]|)); + output = cat(output, sub_bytes(module_parts[3],1,1), "_", sub_bytes(module_parts[3], 2, |module_parts[3]|)); return to_lower(output); } # Example: Notice::POLICY_LOG -> "notice_policy" - if ( /_LOG$/ in parts[2] ) - parts[2] = sub(parts[2], /_LOG$/, ""); + if ( /_LOG$/ in parts[1] ) + parts[1] = sub(parts[1], /_LOG$/, ""); - return cat(to_lower(parts[1]),"_",to_lower(parts[2])); + return cat(to_lower(parts[0]),"_",to_lower(parts[1])); } else return to_lower(id_str); diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro index f5c9927126..f7b8ce9326 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -133,62 +133,62 @@ function parse(unparsed_version: string): Description { # The regular expression should match the complete version number # and software name. - local version_parts = split_n(unparsed_version, /\/?( [\(])?v?[0-9\-\._, ]{2,}/, T, 1); - if ( 1 in version_parts ) + local version_parts = split_string_n(unparsed_version, /\/?( [\(])?v?[0-9\-\._, ]{2,}/, T, 1); + if ( 0 in version_parts ) { - if ( /^\(/ in version_parts[1] ) - software_name = strip(sub(version_parts[1], /[\(]/, "")); + if ( /^\(/ in version_parts[0] ) + software_name = strip(sub(version_parts[0], /[\(]/, "")); else - software_name = strip(version_parts[1]); + software_name = strip(version_parts[0]); } if ( |version_parts| >= 2 ) { # Remove the name/version separator if it's left at the beginning # of the version number from the previous split_all. - local sv = strip(version_parts[2]); + local sv = strip(version_parts[1]); if ( /^[\/\-\._v\(]/ in sv ) - sv = strip(sub(version_parts[2], /^\(?[\/\-\._v\(]/, "")); - local version_numbers = split_n(sv, /[\-\._,\[\(\{ ]/, F, 3); - if ( 5 in version_numbers && version_numbers[5] != "" ) - v$addl = strip(version_numbers[5]); - else if ( 3 in version_parts && version_parts[3] != "" && - version_parts[3] != ")" ) + sv = strip(sub(version_parts[1], /^\(?[\/\-\._v\(]/, "")); + local version_numbers = split_string_n(sv, /[\-\._,\[\(\{ ]/, F, 3); + if ( 4 in version_numbers && version_numbers[4] != "" ) + v$addl = strip(version_numbers[4]); + else if ( 2 in version_parts && version_parts[2] != "" && + version_parts[2] != ")" ) { - if ( /^[[:blank:]]*\([a-zA-Z0-9\-\._[:blank:]]*\)/ in version_parts[3] ) + if ( /^[[:blank:]]*\([a-zA-Z0-9\-\._[:blank:]]*\)/ in version_parts[2] ) { - v$addl = split_n(version_parts[3], /[\(\)]/, F, 2)[2]; + v$addl = split_string_n(version_parts[2], /[\(\)]/, F, 2)[1]; } else { - local vp = split_n(version_parts[3], /[\-\._,;\[\]\(\)\{\} ]/, F, 3); - if ( |vp| >= 1 && vp[1] != "" ) + local vp = split_string_n(version_parts[2], /[\-\._,;\[\]\(\)\{\} ]/, F, 3); + if ( |vp| >= 1 && vp[0] != "" ) + { + v$addl = strip(vp[0]); + } + else if ( |vp| >= 2 && vp[1] != "" ) { v$addl = strip(vp[1]); } - else if ( |vp| >= 2 && vp[2] != "" ) + else if ( |vp| >= 3 && vp[2] != "" ) { v$addl = strip(vp[2]); } - else if ( |vp| >= 3 && vp[3] != "" ) - { - v$addl = strip(vp[3]); - } else { - v$addl = strip(version_parts[3]); + v$addl = strip(version_parts[2]); } } } - if ( 4 in version_numbers && version_numbers[4] != "" ) - v$minor3 = extract_count(version_numbers[4]); if ( 3 in version_numbers && version_numbers[3] != "" ) - v$minor2 = extract_count(version_numbers[3]); + v$minor3 = extract_count(version_numbers[3]); if ( 2 in version_numbers && version_numbers[2] != "" ) - v$minor = extract_count(version_numbers[2]); + v$minor2 = extract_count(version_numbers[2]); if ( 1 in version_numbers && version_numbers[1] != "" ) - v$major = extract_count(version_numbers[1]); + v$minor = extract_count(version_numbers[1]); + if ( 0 in version_numbers && version_numbers[0] != "" ) + v$major = extract_count(version_numbers[0]); } } @@ -200,14 +200,14 @@ function parse_mozilla(unparsed_version: string): Description { local software_name = ""; local v: Version; - local parts: table[count] of string; + local parts: string_vec; if ( /Opera [0-9\.]*$/ in unparsed_version ) { software_name = "Opera"; - parts = split_all(unparsed_version, /Opera [0-9\.]*$/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Opera [0-9\.]*$/); + if ( 1 in parts ) + v = parse(parts[1])$version; } else if ( / MSIE |Trident\// in unparsed_version ) { @@ -222,28 +222,28 @@ function parse_mozilla(unparsed_version: string): Description v = [$major=11,$minor=0]; else { - parts = split_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } } else if ( /Version\/.*Safari\// in unparsed_version ) { software_name = "Safari"; - parts = split_all(unparsed_version, /Version\/[0-9\.]*/); - if ( 2 in parts ) + parts = split_string_all(unparsed_version, /Version\/[0-9\.]*/); + if ( 1 in parts ) { - v = parse(parts[2])$version; + v = parse(parts[1])$version; if ( / Mobile\/?.* Safari/ in unparsed_version ) v$addl = "Mobile"; } } else if ( /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/ in unparsed_version ) { - parts = split_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/); - if ( 2 in parts ) + parts = split_string_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/); + if ( 1 in parts ) { - local tmp_s = parse(parts[2]); + local tmp_s = parse(parts[1]); software_name = tmp_s$name; v = tmp_s$version; } @@ -251,48 +251,48 @@ function parse_mozilla(unparsed_version: string): Description else if ( /Chrome\/.*Safari\// in unparsed_version ) { software_name = "Chrome"; - parts = split_all(unparsed_version, /Chrome\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Chrome\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } else if ( /^Opera\// in unparsed_version ) { if ( /Opera M(ini|obi)\// in unparsed_version ) { - parts = split_all(unparsed_version, /Opera M(ini|obi)/); - if ( 2 in parts ) - software_name = parts[2]; - parts = split_all(unparsed_version, /Version\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Opera M(ini|obi)/); + if ( 1 in parts ) + software_name = parts[1]; + parts = split_string_all(unparsed_version, /Version\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; else { - parts = split_all(unparsed_version, /Opera Mini\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Opera Mini\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } } else { software_name = "Opera"; - parts = split_all(unparsed_version, /Version\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Version\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } } else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version ) { software_name = "Unspecified WebKit"; - parts = split_all(unparsed_version, /AppleWebKit\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /AppleWebKit\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } else if ( / Java\/[0-9]\./ in unparsed_version ) { software_name = "Java"; - parts = split_all(unparsed_version, /Java\/[0-9\._]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Java\/[0-9\._]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } return [$version=v, $unparsed_version=unparsed_version, $name=software_name]; diff --git a/scripts/base/protocols/dhcp/utils.bro b/scripts/base/protocols/dhcp/utils.bro index e49bfe6af9..9d5a422128 100644 --- a/scripts/base/protocols/dhcp/utils.bro +++ b/scripts/base/protocols/dhcp/utils.bro @@ -13,7 +13,7 @@ export { function reverse_ip(ip: addr): addr { - local octets = split(cat(ip), /\./); - return to_addr(cat(octets[4], ".", octets[3], ".", octets[2], ".", octets[1])); + local octets = split_string(cat(ip), /\./); + return to_addr(cat(octets[3], ".", octets[2], ".", octets[1], ".", octets[0])); } diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 9bc1f0d0f1..24195c1d7e 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -274,7 +274,7 @@ event file_transferred(c: connection, prefix: string, descr: string, if ( [id$resp_h, id$resp_p] in ftp_data_expected ) { local s = ftp_data_expected[id$resp_h, id$resp_p]; - s$mime_type = split1(mime_type, /;/)[1]; + s$mime_type = split_string1(mime_type, /;/)[0]; } } diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 0457da8ccf..2349635844 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -242,7 +242,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr else if ( name == "HOST" ) # The split is done to remove the occasional port value that shows up here. - c$http$host = split1(value, /:/)[1]; + c$http$host = split_string1(value, /:/)[0]; else if ( name == "RANGE" ) c$http$range_request = T; @@ -262,12 +262,12 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr if ( /^[bB][aA][sS][iI][cC] / in value ) { local userpass = decode_base64(sub(value, /[bB][aA][sS][iI][cC][[:blank:]]/, "")); - local up = split(userpass, /:/); + local up = split_string(userpass, /:/); if ( |up| >= 2 ) { - c$http$username = up[1]; + c$http$username = up[0]; if ( c$http$capture_password ) - c$http$password = up[2]; + c$http$password = up[1]; } else { diff --git a/scripts/base/protocols/http/utils.bro b/scripts/base/protocols/http/utils.bro index 3c75ae254b..88549f8404 100644 --- a/scripts/base/protocols/http/utils.bro +++ b/scripts/base/protocols/http/utils.bro @@ -42,12 +42,12 @@ function extract_keys(data: string, kv_splitter: pattern): string_vec { local key_vec: vector of string = vector(); - local parts = split(data, kv_splitter); + local parts = split_string(data, kv_splitter); for ( part_index in parts ) { - local key_val = split1(parts[part_index], /=/); - if ( 1 in key_val ) - key_vec[|key_vec|] = key_val[1]; + local key_val = split_string1(parts[part_index], /=/); + if ( 0 in key_val ) + key_vec[|key_vec|] = key_val[0]; } return key_vec; } diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index a22d93d2fa..925b0f4da5 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -98,7 +98,7 @@ event bro_init() &priority=5 function find_address_in_smtp_header(header: string): string { - local ips = find_ip_addresses(header); + local ips = extract_ip_addresses(header); # If there are more than one IP address found, return the second. if ( |ips| > 1 ) return ips[1]; @@ -163,7 +163,7 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) & { if ( ! c$smtp?$rcptto ) c$smtp$rcptto = set(); - add c$smtp$rcptto[split1(arg, /:[[:blank:]]*/)[2]]; + add c$smtp$rcptto[split_string1(arg, /:[[:blank:]]*/)[1]]; c$smtp$has_client_activity = T; } @@ -172,8 +172,8 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) & # Flush last message in case we didn't see the server's acknowledgement. smtp_message(c); - local partially_done = split1(arg, /:[[:blank:]]*/)[2]; - c$smtp$mailfrom = split1(partially_done, /[[:blank:]]?/)[1]; + local partially_done = split_string1(arg, /:[[:blank:]]*/)[1]; + c$smtp$mailfrom = split_string1(partially_done, /[[:blank:]]?/)[0]; c$smtp$has_client_activity = T; } } @@ -234,14 +234,14 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5 if ( ! c$smtp?$to ) c$smtp$to = set(); - local to_parts = split(h$value, /[[:blank:]]*,[[:blank:]]*/); + local to_parts = split_string(h$value, /[[:blank:]]*,[[:blank:]]*/); for ( i in to_parts ) add c$smtp$to[to_parts[i]]; } else if ( h$name == "X-ORIGINATING-IP" ) { - local addresses = find_ip_addresses(h$value); + local addresses = extract_ip_addresses(h$value); if ( 1 in addresses ) c$smtp$x_originating_ip = to_addr(addresses[1]); } diff --git a/scripts/base/utils/active-http.bro b/scripts/base/utils/active-http.bro index 5dc512408a..de78eeac6d 100644 --- a/scripts/base/utils/active-http.bro +++ b/scripts/base/utils/active-http.bro @@ -105,21 +105,21 @@ function request(req: Request): ActiveHTTP::Response # The reply is the first line. if ( i == 0 ) { - local response_line = split_n(headers[0], /[[:blank:]]+/, F, 2); + local response_line = split_string_n(headers[0], /[[:blank:]]+/, F, 2); if ( |response_line| != 3 ) return resp; - resp$code = to_count(response_line[2]); - resp$msg = response_line[3]; + resp$code = to_count(response_line[1]); + resp$msg = response_line[2]; resp$body = join_string_vec(result$files[bodyfile], ""); } else { local line = headers[i]; - local h = split1(line, /:/); + local h = split_string1(line, /:/); if ( |h| != 2 ) next; - resp$headers[h[1]] = sub_bytes(h[2], 0, |h[2]|-1); + resp$headers[h[0]] = sub_bytes(h[1], 0, |h[1]|-1); } } return resp; diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.bro index 9e33e6d585..e8fd746e5e 100644 --- a/scripts/base/utils/addrs.bro +++ b/scripts/base/utils/addrs.bro @@ -32,7 +32,7 @@ const ip_addr_regex = ## octets: an array of strings to check for valid octet values. ## ## Returns: T if every element is between 0 and 255, inclusive, else F. -function has_valid_octets(octets: string_array): bool +function has_valid_octets(octets: string_vec): bool { local num = 0; for ( i in octets ) @@ -51,10 +51,10 @@ function has_valid_octets(octets: string_array): bool ## Returns: T if the string is a valid IPv4 or IPv6 address format. function is_valid_ip(ip_str: string): bool { - local octets: string_array; + local octets: string_vec; if ( ip_str == ipv4_addr_regex ) { - octets = split(ip_str, /\./); + octets = split_string(ip_str, /\./); if ( |octets| != 4 ) return F; @@ -67,13 +67,13 @@ function is_valid_ip(ip_str: string): bool { # the regexes for hybrid IPv6-IPv4 address formats don't for valid # octets within the IPv4 part, so do that now - octets = split(ip_str, /\./); + octets = split_string(ip_str, /\./); if ( |octets| != 4 ) return F; # get rid of remaining IPv6 stuff in first octet - local tmp = split(octets[1], /:/); - octets[1] = tmp[|tmp|]; + local tmp = split_string(octets[0], /:/); + octets[0] = tmp[|tmp| - 1]; return has_valid_octets(octets); } @@ -92,14 +92,32 @@ function is_valid_ip(ip_str: string): bool ## input: a string that may contain an IP address anywhere within it. ## ## Returns: an array containing all valid IP address strings found in *input*. -function find_ip_addresses(input: string): string_array +function find_ip_addresses(input: string): string_array &deprecated { - local parts = split_all(input, ip_addr_regex); + local parts = split_string_all(input, ip_addr_regex); local output: string_array; for ( i in parts ) { - if ( i % 2 == 0 && is_valid_ip(parts[i]) ) + if ( i % 2 == 1 && is_valid_ip(parts[i]) ) + output[|output|] = parts[i]; + } + return output; + } + +## Extracts all IP (v4 or v6) address strings from a given string. +## +## input: a string that may contain an IP address anywhere within it. +## +## Returns: an array containing all valid IP address strings found in *input*. +function extract_ip_addresses(input: string): string_vec + { + local parts = split_string_all(input, ip_addr_regex); + local output: string_vec; + + for ( i in parts ) + { + if ( i % 2 == 1 && is_valid_ip(parts[i]) ) output[|output|] = parts[i]; } return output; diff --git a/scripts/base/utils/exec.bro b/scripts/base/utils/exec.bro index 37ec35cb2c..15d88e9851 100644 --- a/scripts/base/utils/exec.bro +++ b/scripts/base/utils/exec.bro @@ -82,9 +82,9 @@ event Exec::line(description: Input::EventDescription, tpe: Input::Event, s: str event Exec::file_line(description: Input::EventDescription, tpe: Input::Event, s: string) { - local parts = split1(description$name, /_/); - local name = parts[1]; - local track_file = parts[2]; + local parts = split_string1(description$name, /_/); + local name = parts[0]; + local track_file = parts[1]; local result = results[name]; if ( ! result?$files ) @@ -99,13 +99,13 @@ event Exec::file_line(description: Input::EventDescription, tpe: Input::Event, s event Input::end_of_data(orig_name: string, source:string) { local name = orig_name; - local parts = split1(name, /_/); - name = parts[1]; + local parts = split_string1(name, /_/); + name = parts[0]; if ( name !in pending_commands || |parts| < 2 ) return; - local track_file = parts[2]; + local track_file = parts[1]; # If the file is empty, still add it to the result$files table. This is needed # because it is expected that the file was read even if it was empty. diff --git a/scripts/base/utils/files.bro b/scripts/base/utils/files.bro index b88ae5763e..766efd649c 100644 --- a/scripts/base/utils/files.bro +++ b/scripts/base/utils/files.bro @@ -23,7 +23,7 @@ function extract_filename_from_content_disposition(data: string): string # Remove quotes around the filename if they are there. if ( /^\"/ in filename ) - filename = split_n(filename, /\"/, F, 2)[2]; + filename = split_string_n(filename, /\"/, F, 2)[1]; # Remove the language and encoding if it's there. if ( /^[a-zA-Z0-9\!#$%&+-^_`{}~]+'[a-zA-Z0-9\!#$%&+-^_`{}~]*'/ in filename ) diff --git a/scripts/base/utils/numbers.bro b/scripts/base/utils/numbers.bro index 9b100862d4..da8c15d7a0 100644 --- a/scripts/base/utils/numbers.bro +++ b/scripts/base/utils/numbers.bro @@ -2,9 +2,9 @@ ## If no integer can be found, 0 is returned. function extract_count(s: string): count { - local parts = split_n(s, /[0-9]+/, T, 1); - if ( 2 in parts ) - return to_count(parts[2]); + local parts = split_string_n(s, /[0-9]+/, T, 1); + if ( 1 in parts ) + return to_count(parts[1]); else return 0; - } \ No newline at end of file + } diff --git a/scripts/base/utils/paths.bro b/scripts/base/utils/paths.bro index ce083eb6d0..6de5b85e2e 100644 --- a/scripts/base/utils/paths.bro +++ b/scripts/base/utils/paths.bro @@ -13,12 +13,12 @@ const absolute_path_pat = /(\/|[A-Za-z]:[\\\/]).*/; function extract_path(input: string): string { const dir_pattern = /(\/|[A-Za-z]:[\\\/])([^\"\ ]|(\\\ ))*/; - local parts = split_all(input, dir_pattern); + local parts = split_string_all(input, dir_pattern); if ( |parts| < 3 ) return ""; - return parts[2]; + return parts[1]; } ## Compresses a given path by removing '..'s and the parent directory it @@ -31,27 +31,27 @@ function compress_path(dir: string): string { const cdup_sep = /((\/)*([^\/]|\\\/)+)?((\/)+\.\.(\/)*)/; - local parts = split_n(dir, cdup_sep, T, 1); + local parts = split_string_n(dir, cdup_sep, T, 1); if ( |parts| > 1 ) { # reaching a point with two parent dir references back-to-back means # we don't know about anything higher in the tree to pop off - if ( parts[2] == "../.." ) - return cat_string_array(parts); - if ( sub_bytes(parts[2], 0, 1) == "/" ) - parts[2] = "/"; + if ( parts[1] == "../.." ) + return join_string_vec(parts, ""); + if ( sub_bytes(parts[1], 0, 1) == "/" ) + parts[1] = "/"; else - parts[2] = ""; - dir = cat_string_array(parts); + parts[1] = ""; + dir = join_string_vec(parts, ""); return compress_path(dir); } const multislash_sep = /(\/\.?){2,}/; - parts = split_all(dir, multislash_sep); + parts = split_string_all(dir, multislash_sep); for ( i in parts ) - if ( i % 2 == 0 ) + if ( i % 2 == 1 ) parts[i] = "/"; - dir = cat_string_array(parts); + dir = join_string_vec(parts, ""); # remove trailing slashes from path if ( |dir| > 1 && sub_bytes(dir, |dir|, 1) == "/" ) diff --git a/scripts/base/utils/patterns.bro b/scripts/base/utils/patterns.bro index 957e19a14b..47b8cf4e37 100644 --- a/scripts/base/utils/patterns.bro +++ b/scripts/base/utils/patterns.bro @@ -50,11 +50,11 @@ type PatternMatchResult: record { ## Returns: a record indicating the match status. function match_pattern(s: string, p: pattern): PatternMatchResult { - local a = split_n(s, p, T, 1); + local a = split_string_n(s, p, T, 1); if ( |a| == 1 ) # no match return [$matched = F, $str = "", $off = 0]; else - return [$matched = T, $str = a[2], $off = |a[1]| + 1]; + return [$matched = T, $str = a[1], $off = |a[0]| + 1]; } diff --git a/scripts/base/utils/urls.bro b/scripts/base/utils/urls.bro index d4279cd0ce..41a2ab5639 100644 --- a/scripts/base/utils/urls.bro +++ b/scripts/base/utils/urls.bro @@ -48,7 +48,7 @@ function find_all_urls_without_scheme(s: string): string_set function decompose_uri(s: string): URI { - local parts: string_array; + local parts: string_vec; local u: URI = [$netlocation="", $path="/"]; if ( /\?/ in s) @@ -56,55 +56,55 @@ function decompose_uri(s: string): URI # Parse query. u$params = table(); - parts = split1(s, /\?/); - s = parts[1]; - local query: string = parts[2]; + parts = split_string1(s, /\?/); + s = parts[0]; + local query: string = parts[1]; if ( /&/ in query ) { - local opv: table[count] of string = split(query, /&/); + local opv = split_string(query, /&/); for ( each in opv ) { if ( /=/ in opv[each] ) { - parts = split1(opv[each], /=/); - u$params[parts[1]] = parts[2]; + parts = split_string1(opv[each], /=/); + u$params[parts[0]] = parts[1]; } } } else { - parts = split1(query, /=/); - u$params[parts[1]] = parts[2]; + parts = split_string1(query, /=/); + u$params[parts[0]] = parts[1]; } } if ( /:\/\// in s ) { # Parse scheme and remove from s. - parts = split1(s, /:\/\//); - u$scheme = parts[1]; - s = parts[2]; + parts = split_string1(s, /:\/\//); + u$scheme = parts[0]; + s = parts[1]; } if ( /\// in s ) { # Parse path and remove from s. - parts = split1(s, /\//); - s = parts[1]; - u$path = fmt("/%s", parts[2]); + parts = split_string1(s, /\//); + s = parts[0]; + u$path = fmt("/%s", parts[1]); if ( |u$path| > 1 && u$path[|u$path| - 1] != "/" ) { local last_token: string = find_last(u$path, /\/.+/); - local full_filename = split1(last_token, /\//)[2]; + local full_filename = split_string1(last_token, /\//)[1]; if ( /\./ in full_filename ) { u$file_name = full_filename; - u$file_base = split1(full_filename, /\./)[1]; - u$file_ext = split1(full_filename, /\./)[2]; + u$file_base = split_string1(full_filename, /\./)[0]; + u$file_ext = split_string1(full_filename, /\./)[1]; } else { @@ -117,9 +117,9 @@ function decompose_uri(s: string): URI if ( /:/ in s ) { # Parse location and port. - parts = split1(s, /:/); - u$netlocation = parts[1]; - u$portnum = to_count(parts[2]); + parts = split_string1(s, /:/); + u$netlocation = parts[0]; + u$portnum = to_count(parts[1]); } else u$netlocation = s; diff --git a/scripts/policy/frameworks/files/detect-MHR.bro b/scripts/policy/frameworks/files/detect-MHR.bro index d0b8a852e6..6917212356 100644 --- a/scripts/policy/frameworks/files/detect-MHR.bro +++ b/scripts/policy/frameworks/files/detect-MHR.bro @@ -42,15 +42,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.bro index a961896640..864b685126 100644 --- a/scripts/policy/frameworks/intel/seen/http-headers.bro +++ b/scripts/policy/frameworks/intel/seen/http-headers.bro @@ -31,7 +31,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) case "X-FORWARDED-FOR": if ( is_valid_ip(value) ) { - local addrs = find_ip_addresses(value); + local addrs = extract_ip_addresses(value); for ( i in addrs ) { Intel::seen([$host=to_addr(addrs[i]), diff --git a/scripts/policy/frameworks/intel/seen/smtp.bro b/scripts/policy/frameworks/intel/seen/smtp.bro index d760995e51..0393dbab7d 100644 --- a/scripts/policy/frameworks/intel/seen/smtp.bro +++ b/scripts/policy/frameworks/intel/seen/smtp.bro @@ -30,10 +30,10 @@ event mime_end_entity(c: connection) if ( c$smtp?$mailfrom ) { - local mailfromparts = split_n(c$smtp$mailfrom, /<.+>/, T, 1); + local mailfromparts = split_string_n(c$smtp$mailfrom, /<.+>/, T, 1); if ( |mailfromparts| > 2 ) { - Intel::seen([$indicator=mailfromparts[2][1:-2], + Intel::seen([$indicator=mailfromparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_MAIL_FROM]); @@ -44,10 +44,10 @@ event mime_end_entity(c: connection) { for ( rcptto in c$smtp$rcptto ) { - local rcpttoparts = split_n(rcptto, /<.+>/, T, 1); + local rcpttoparts = split_string_n(rcptto, /<.+>/, T, 1); if ( |rcpttoparts| > 2 ) { - Intel::seen([$indicator=rcpttoparts[2][1:-2], + Intel::seen([$indicator=rcpttoparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_RCPT_TO]); @@ -57,10 +57,10 @@ event mime_end_entity(c: connection) if ( c$smtp?$from ) { - local fromparts = split_n(c$smtp$from, /<.+>/, T, 1); + local fromparts = split_string_n(c$smtp$from, /<.+>/, T, 1); if ( |fromparts| > 2 ) { - Intel::seen([$indicator=fromparts[2][1:-2], + Intel::seen([$indicator=fromparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_FROM]); @@ -71,10 +71,10 @@ event mime_end_entity(c: connection) { for ( email_to in c$smtp$to ) { - local toparts = split_n(email_to, /<.+>/, T, 1); + local toparts = split_string_n(email_to, /<.+>/, T, 1); if ( |toparts| > 2 ) { - Intel::seen([$indicator=toparts[2][1:-2], + Intel::seen([$indicator=toparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_TO]); @@ -84,10 +84,10 @@ event mime_end_entity(c: connection) if ( c$smtp?$reply_to ) { - local replytoparts = split_n(c$smtp$reply_to, /<.+>/, T, 1); + local replytoparts = split_string_n(c$smtp$reply_to, /<.+>/, T, 1); if ( |replytoparts| > 2 ) { - Intel::seen([$indicator=replytoparts[2][1:-2], + Intel::seen([$indicator=replytoparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_REPLY_TO]); diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro index ee8d90b21f..527623d621 100644 --- a/scripts/policy/frameworks/software/vulnerable.bro +++ b/scripts/policy/frameworks/software/vulnerable.bro @@ -55,18 +55,18 @@ function decode_vulnerable_version_range(vuln_sw: string): VulnerableVersionRang return vvr; } - local versions = split1(vuln_sw, /\x09/); + local versions = split_string1(vuln_sw, /\x09/); for ( i in versions ) { - local field_and_ver = split1(versions[i], /=/); + local field_and_ver = split_string1(versions[i], /=/); if ( |field_and_ver| != 2 ) return vvr; #failure! - local ver = Software::parse(field_and_ver[2])$version; - if ( field_and_ver[1] == "min" ) + local ver = Software::parse(field_and_ver[1])$version; + if ( field_and_ver[0] == "min" ) vvr$min = ver; - else if ( field_and_ver[1] == "max" ) + else if ( field_and_ver[0] == "max" ) vvr$max = ver; } @@ -84,15 +84,15 @@ event grab_vulnerable_versions(i: count) when ( local result = lookup_hostname_txt(cat(i,".",vulnerable_versions_update_endpoint)) ) { - local parts = split1(result, /\x09/); + local parts = split_string1(result, /\x09/); if ( |parts| != 2 ) #failure or end of list! { schedule vulnerable_versions_update_interval { grab_vulnerable_versions(1) }; return; } - local sw = parts[1]; - local vvr = decode_vulnerable_version_range(parts[2]); + local sw = parts[0]; + local vvr = decode_vulnerable_version_range(parts[1]); if ( sw !in internal_vulnerable_versions ) internal_vulnerable_versions[sw] = set(); add internal_vulnerable_versions[sw][vvr]; diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro index aa403e6a08..68151e209a 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -74,10 +74,10 @@ event bro_init() &priority=5 $threshold=icmp_time_exceeded_threshold, $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = { - local parts = split_n(key$str, /-/, F, 2); - local src = to_addr(parts[1]); - local dst = to_addr(parts[2]); - local proto = parts[3]; + local parts = split_string_n(key$str, /-/, F, 2); + local src = to_addr(parts[0]); + local dst = to_addr(parts[1]); + local proto = parts[2]; Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst, $proto=proto]); NOTICE([$note=Traceroute::Detected, $msg=fmt("%s seems to be running traceroute using %s", src, proto), diff --git a/scripts/policy/protocols/http/software-browser-plugins.bro b/scripts/policy/protocols/http/software-browser-plugins.bro index b466a9da40..ab4bb93b15 100644 --- a/scripts/policy/protocols/http/software-browser-plugins.bro +++ b/scripts/policy/protocols/http/software-browser-plugins.bro @@ -45,13 +45,13 @@ event log_http(rec: Info) if ( rec$omniture && rec?$uri ) { # We do {5,} because sometimes we see p=6 in the urls. - local parts = split_n(rec$uri, /&p=([^&]{5,});&/, T, 1); - if ( 2 in parts ) + local parts = split_string_n(rec$uri, /&p=([^&]{5,});&/, T, 1); + if ( 1 in parts ) { # We do sub_bytes here just to remove the extra extracted # characters from the regex split above. - local sw = sub_bytes(parts[2], 4, |parts[2]|-5); - local plugins = split(sw, /[[:blank:]]*;[[:blank:]]*/); + local sw = sub_bytes(parts[1], 4, |parts[1]|-5); + local plugins = split_string(sw, /[[:blank:]]*;[[:blank:]]*/); for ( i in plugins ) Software::found(rec$id, [$unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN]); diff --git a/scripts/policy/protocols/smtp/blocklists.bro b/scripts/policy/protocols/smtp/blocklists.bro index b1fb0e498d..57aef4ee48 100644 --- a/scripts/policy/protocols/smtp/blocklists.bro +++ b/scripts/policy/protocols/smtp/blocklists.bro @@ -47,7 +47,7 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string, local message = fmt("%s received an error message mentioning an SMTP block list", c$id$orig_h); # Determine if the originator's IP address is in the message. - local ips = find_ip_addresses(msg); + local ips = extract_ip_addresses(msg); local text_ip = ""; if ( |ips| > 0 && to_addr(ips[0]) == c$id$orig_h ) { diff --git a/scripts/policy/protocols/ssl/notary.bro b/scripts/policy/protocols/ssl/notary.bro index e2b0bb2faf..07f2cdebc4 100644 --- a/scripts/policy/protocols/ssl/notary.bro +++ b/scripts/policy/protocols/ssl/notary.bro @@ -70,23 +70,23 @@ event ssl_established(c: connection) &priority=3 clear_waitlist(digest); return; } - local fields = split(str, / /); + local fields = split_string(str, / /); if ( |fields| != 5 ) # version 1 has 5 fields. { clear_waitlist(digest); return; } - local version = split(fields[1], /=/)[2]; + local version = split_string(fields[0], /=/)[1]; if ( version != "1" ) { clear_waitlist(digest); return; } local r = notary_cache[digest]; - r$first_seen = to_count(split(fields[2], /=/)[2]); - r$last_seen = to_count(split(fields[3], /=/)[2]); - r$times_seen = to_count(split(fields[4], /=/)[2]); - r$valid = split(fields[5], /=/)[2] == "1"; + r$first_seen = to_count(split_string(fields[1], /=/)[1]); + r$last_seen = to_count(split_string(fields[2], /=/)[1]); + r$times_seen = to_count(split_string(fields[3], /=/)[1]); + r$valid = split_string(fields[4], /=/)[1] == "1"; # Assign notary answer to all records waiting for this digest. if ( digest in waitlist ) diff --git a/src/Attr.cc b/src/Attr.cc index 13106b02b7..fc8d3000d1 100644 --- a/src/Attr.cc +++ b/src/Attr.cc @@ -18,7 +18,7 @@ const char* attr_name(attr_tag t) "&encrypt", "&raw_output", "&mergeable", "&priority", "&group", "&log", "&error_handler", "&type_column", - "(&tracked)", + "(&tracked)", "&deprecated", }; return attr_names[int(t)]; @@ -212,6 +212,7 @@ void Attributes::DescribeReST(ODesc* d) const void Attributes::CheckAttr(Attr* a) { switch ( a->Tag() ) { + case ATTR_DEPRECATED: case ATTR_OPTIONAL: case ATTR_REDEF: break; diff --git a/src/Attr.h b/src/Attr.h index 228bc2e5fc..63f2524c21 100644 --- a/src/Attr.h +++ b/src/Attr.h @@ -34,7 +34,8 @@ typedef enum { ATTR_ERROR_HANDLER, ATTR_TYPE_COLUMN, // for input framework ATTR_TRACKED, // hidden attribute, tracked by NotifierRegistry -#define NUM_ATTRS (int(ATTR_TRACKED) + 1) + ATTR_DEPRECATED, +#define NUM_ATTRS (int(ATTR_DEPRECATED) + 1) } attr_tag; class Attr : public BroObj { diff --git a/src/Expr.cc b/src/Expr.cc index 671f9b2d41..d2dcb1585b 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3213,6 +3213,10 @@ FieldExpr::FieldExpr(Expr* arg_op, const char* arg_field_name) { SetType(rt->FieldType(field)->Ref()); td = rt->FieldDecl(field); + + if ( td->FindAttr(ATTR_DEPRECATED) ) + reporter->Warning("deprecated (%s$%s)", rt->GetName().c_str(), + field_name); } } } @@ -3333,6 +3337,9 @@ HasFieldExpr::HasFieldExpr(Expr* arg_op, const char* arg_field_name) if ( field < 0 ) ExprError("no such field in record"); + else if ( rt->FieldDecl(field)->FindAttr(ATTR_DEPRECATED) ) + reporter->Warning("deprecated (%s?$%s)", rt->GetName().c_str(), + field_name); SetType(base_type(TYPE_BOOL)); } @@ -4147,16 +4154,28 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r) } for ( i = 0; i < map_size; ++i ) - if ( map[i] == -1 && - ! t_r->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) ) + { + if ( map[i] == -1 ) { - char buf[512]; - safe_snprintf(buf, sizeof(buf), - "non-optional field \"%s\" missing", t_r->FieldName(i)); - Error(buf); - SetError(); - break; + if ( ! t_r->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) ) + { + char buf[512]; + safe_snprintf(buf, sizeof(buf), + "non-optional field \"%s\" missing", + t_r->FieldName(i)); + Error(buf); + SetError(); + break; + } } + else + { + if ( t_r->FieldDecl(i)->FindAttr(ATTR_DEPRECATED) ) + reporter->Warning("deprecated (%s$%s)", + t_r->GetName().c_str(), + t_r->FieldName(i)); + } + } } } diff --git a/src/ID.cc b/src/ID.cc index aa965b880e..a308ffa81d 100644 --- a/src/ID.cc +++ b/src/ID.cc @@ -248,6 +248,16 @@ void ID::UpdateValAttrs() } } +void ID::MakeDeprecated() + { + if ( IsDeprecated() ) + return; + + attr_list* attr = new attr_list; + attr->append(new Attr(ATTR_DEPRECATED)); + AddAttrs(new Attributes(attr, Type(), false)); + } + void ID::AddAttrs(Attributes* a) { if ( attrs ) diff --git a/src/ID.h b/src/ID.h index 31cfad4191..805a8e391b 100644 --- a/src/ID.h +++ b/src/ID.h @@ -80,6 +80,11 @@ public: Attr* FindAttr(attr_tag t) const { return attrs ? attrs->FindAttr(t) : 0; } + bool IsDeprecated() const + { return FindAttr(ATTR_DEPRECATED) != 0; } + + void MakeDeprecated(); + void Error(const char* msg, const BroObj* o2 = 0); void Describe(ODesc* d) const; diff --git a/src/Type.cc b/src/Type.cc index ead31f1b7d..9aa86da8dc 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -1434,7 +1434,7 @@ EnumType::~EnumType() // Note, we use reporter->Error() here (not Error()) to include the current script // location in the error message, rather than the one where the type was // originally defined. -void EnumType::AddName(const string& module_name, const char* name, bool is_export) +void EnumType::AddName(const string& module_name, const char* name, bool is_export, bool deprecated) { /* implicit, auto-increment */ if ( counter < 0) @@ -1443,11 +1443,11 @@ void EnumType::AddName(const string& module_name, const char* name, bool is_expo SetError(); return; } - CheckAndAddName(module_name, name, counter, is_export); + CheckAndAddName(module_name, name, counter, is_export, deprecated); counter++; } -void EnumType::AddName(const string& module_name, const char* name, bro_int_t val, bool is_export) +void EnumType::AddName(const string& module_name, const char* name, bro_int_t val, bool is_export, bool deprecated) { /* explicit value specified */ if ( counter > 0 ) @@ -1457,11 +1457,11 @@ void EnumType::AddName(const string& module_name, const char* name, bro_int_t va return; } counter = -1; - CheckAndAddName(module_name, name, val, is_export); + CheckAndAddName(module_name, name, val, is_export, deprecated); } void EnumType::CheckAndAddName(const string& module_name, const char* name, - bro_int_t val, bool is_export) + bro_int_t val, bool is_export, bool deprecated) { if ( Lookup(val) ) { @@ -1477,6 +1477,10 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name, id = install_ID(name, module_name.c_str(), true, is_export); id->SetType(this->Ref()); id->SetEnumConst(); + + if ( deprecated ) + id->MakeDeprecated(); + broxygen_mgr->Identifier(id); } else diff --git a/src/Type.h b/src/Type.h index a9f1e42a6d..f902b0d907 100644 --- a/src/Type.h +++ b/src/Type.h @@ -554,12 +554,12 @@ public: // The value of this name is next internal counter value, starting // with zero. The internal counter is incremented. - void AddName(const string& module_name, const char* name, bool is_export); + void AddName(const string& module_name, const char* name, bool is_export, bool deprecated); // The value of this name is set to val. Once a value has been // explicitly assigned using this method, no further names can be // added that aren't likewise explicitly initalized. - void AddName(const string& module_name, const char* name, bro_int_t val, bool is_export); + void AddName(const string& module_name, const char* name, bro_int_t val, bool is_export, bool deprecated); // -1 indicates not found. bro_int_t Lookup(const string& module_name, const char* name) const; @@ -580,7 +580,8 @@ protected: const char* name, bro_int_t val, bool is_export); void CheckAndAddName(const string& module_name, - const char* name, bro_int_t val, bool is_export); + const char* name, bro_int_t val, bool is_export, + bool deprecated); typedef std::map< const char*, bro_int_t, ltstr > NameMap; NameMap names; diff --git a/src/Var.cc b/src/Var.cc index 0a196b9cac..95ec5802ef 100644 --- a/src/Var.cc +++ b/src/Var.cc @@ -435,6 +435,10 @@ void end_func(Stmt* body, attr_list* attrs) loop_over_list(*attrs, i) { Attr* a = (*attrs)[i]; + + if ( a->Tag() == ATTR_DEPRECATED ) + continue; + if ( a->Tag() != ATTR_PRIORITY ) { a->Error("illegal attribute for function body"); diff --git a/src/analyzer/protocol/mysql/events.bif b/src/analyzer/protocol/mysql/events.bif index d7160c1ac6..bd81e8b8a4 100644 --- a/src/analyzer/protocol/mysql/events.bif +++ b/src/analyzer/protocol/mysql/events.bif @@ -9,7 +9,7 @@ ## ## arg: The argument for the command (empty string if not provided). ## -## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake_response +## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake event mysql_command_request%(c: connection, command: count, arg: string%); ## Generated for an unsuccessful MySQL response. @@ -23,7 +23,7 @@ event mysql_command_request%(c: connection, command: count, arg: string%); ## ## msg: Any extra details about the error (empty string if not provided). ## -## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake_response +## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake event mysql_error%(c: connection, code: count, msg: string%); ## Generated for a successful MySQL response. @@ -35,7 +35,7 @@ event mysql_error%(c: connection, code: count, msg: string%); ## ## affected_rows: The number of rows that were affected. ## -## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake_response +## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake event mysql_ok%(c: connection, affected_rows: count%); ## Generated for the initial server handshake packet, which includes the MySQL server version. @@ -47,7 +47,7 @@ event mysql_ok%(c: connection, affected_rows: count%); ## ## ver: The server version string. ## -## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake_response +## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake event mysql_server_version%(c: connection, ver: string%); ## Generated for a client handshake response packet, which includes the username the client is attempting diff --git a/src/builtin-func.y b/src/builtin-func.y index 1b22436fff..0f895ced52 100644 --- a/src/builtin-func.y +++ b/src/builtin-func.y @@ -287,7 +287,7 @@ void record_bif_item(const char* id, const char* type) %left ',' ':' -%type TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws type attr_list opt_attr_list +%type TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws type attr_list opt_attr_list opt_func_attrs %type TOK_ATOM TOK_BOOL %union { @@ -372,7 +372,13 @@ type_def_types: TOK_RECORD { set_definition_type(TYPE_DEF, "Table"); } ; -event_def: event_prefix opt_ws plain_head opt_attr_list +opt_func_attrs: attr_list opt_ws + { $$ = $1; } + | /* nothing */ + { $$ = ""; } + ; + +event_def: event_prefix opt_ws plain_head opt_func_attrs { fprintf(fp_bro_init, "%s", $4); } end_of_head ';' { print_event_c_prototype(fp_func_h, true); @@ -380,13 +386,16 @@ event_def: event_prefix opt_ws plain_head opt_attr_list print_event_c_body(fp_func_def); } -func_def: func_prefix opt_ws typed_head end_of_head body +func_def: func_prefix opt_ws typed_head opt_func_attrs + { fprintf(fp_bro_init, "%s", $4); } end_of_head body ; -enum_def: enum_def_1 enum_list TOK_RPB +enum_def: enum_def_1 enum_list TOK_RPB opt_attr_list { // First, put an end to the enum type decl. - fprintf(fp_bro_init, "};\n"); + fprintf(fp_bro_init, "} "); + fprintf(fp_bro_init, "%s", $4); + fprintf(fp_bro_init, ";\n"); if ( decl.module_name != GLOBAL_MODULE_NAME ) fprintf(fp_netvar_h, "}; } }\n"); else diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif index 4e4b4c6cdb..480d8c84d8 100644 --- a/src/file_analysis/file_analysis.bif +++ b/src/file_analysis/file_analysis.bif @@ -29,7 +29,7 @@ function Files::__disable_reassembly%(file_id: string%): bool return new Val(result, TYPE_BOOL); %} -## :bro:see:`Files::set_reassembly_buffer`. +## :bro:see:`Files::set_reassembly_buffer_size`. function Files::__set_reassembly_buffer%(file_id: string, max: count%): bool %{ bool result = file_mgr->SetReassemblyBuffer(file_id->CheckString(), max); diff --git a/src/parse.y b/src/parse.y index 83760dbbf0..f74880dc13 100644 --- a/src/parse.y +++ b/src/parse.y @@ -2,7 +2,7 @@ // See the file "COPYING" in the main distribution directory for copyright. %} -%expect 75 +%expect 78 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF @@ -24,7 +24,7 @@ %token TOK_ATTR_PERSISTENT TOK_ATTR_SYNCHRONIZED %token TOK_ATTR_RAW_OUTPUT TOK_ATTR_MERGEABLE %token TOK_ATTR_PRIORITY TOK_ATTR_LOG TOK_ATTR_ERROR_HANDLER -%token TOK_ATTR_TYPE_COLUMN +%token TOK_ATTR_TYPE_COLUMN TOK_ATTR_DEPRECATED %token TOK_DEBUG @@ -44,7 +44,7 @@ %right '!' %left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR -%type opt_no_test opt_no_test_block +%type opt_no_test opt_no_test_block opt_deprecated %type TOK_ID TOK_PATTERN_TEXT single_pattern %type local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func %type local_id_list @@ -227,6 +227,18 @@ static bool expr_is_table_type_name(const Expr* expr) return false; } + +static bool has_attr(const attr_list* al, attr_tag tag) + { + if ( ! al ) + return false; + + for ( int i = 0; i < al->length(); ++i ) + if ( (*al)[i]->Tag() == tag ) + return true; + + return false; + } %} %union { @@ -671,6 +683,9 @@ expr: } else $$ = new NameExpr(id); + + if ( id->IsDeprecated() ) + reporter->Warning("deprecated (%s)", id->Name()); } } @@ -759,7 +774,7 @@ enum_body_elem: error messages if someboy tries to use constant variables as enumerator. */ - TOK_ID '=' TOK_CONSTANT + TOK_ID '=' TOK_CONSTANT opt_deprecated { set_location(@1, @3); assert(cur_enum_type); @@ -768,7 +783,7 @@ enum_body_elem: reporter->Error("enumerator is not a count constant"); else cur_enum_type->AddName(current_module, $1, - $3->InternalUnsigned(), is_export); + $3->InternalUnsigned(), is_export, $4); } | TOK_ID '=' '-' TOK_CONSTANT @@ -780,11 +795,11 @@ enum_body_elem: reporter->Error("enumerator is not a count constant"); } - | TOK_ID + | TOK_ID opt_deprecated { set_location(@1); assert(cur_enum_type); - cur_enum_type->AddName(current_module, $1, is_export); + cur_enum_type->AddName(current_module, $1, is_export, $2); } ; @@ -963,7 +978,12 @@ type: $$ = error_type(); } else + { Ref($$); + + if ( $1->IsDeprecated() ) + reporter->Warning("deprecated (%s)", $1->Name()); + } } ; @@ -1139,6 +1159,9 @@ func_body: { saved_in_init.push_back(in_init); in_init = 0; + + if ( has_attr($1, ATTR_DEPRECATED) ) + current_scope()->ScopeID()->MakeDeprecated(); } stmt_list @@ -1265,6 +1288,8 @@ attr: { $$ = new Attr(ATTR_LOG); } | TOK_ATTR_ERROR_HANDLER { $$ = new Attr(ATTR_ERROR_HANDLER); } + | TOK_ATTR_DEPRECATED + { $$ = new Attr(ATTR_DEPRECATED); } ; stmt: @@ -1450,6 +1475,10 @@ event: { set_location(@1, @4); $$ = new EventExpr($1, $3); + ID* id = lookup_ID($1, current_module.c_str()); + + if ( id && id->IsDeprecated() ) + reporter->Warning("deprecated (%s)", id->Name()); } ; @@ -1556,6 +1585,15 @@ global_or_event_id: if ( ! $$->IsGlobal() ) $$->Error("already a local identifier"); + if ( $$->IsDeprecated() ) + { + BroType* t = $$->Type(); + + if ( t->Tag() != TYPE_FUNC || + t->AsFuncType()->Flavor() != FUNC_FLAVOR_FUNCTION ) + reporter->Warning("deprecated (%s)", $$->Name()); + } + delete [] $1; } @@ -1597,6 +1635,12 @@ opt_no_test_block: | { $$ = false; } +opt_deprecated: + TOK_ATTR_DEPRECATED + { $$ = true; } + | + { $$ = false; } + %% int yyerror(const char msg[]) diff --git a/src/plugin/ComponentManager.h b/src/plugin/ComponentManager.h index 7337cf069a..0069c77359 100644 --- a/src/plugin/ComponentManager.h +++ b/src/plugin/ComponentManager.h @@ -243,7 +243,8 @@ void ComponentManager::RegisterComponent(C* component, // Install an identfier for enum value string id = fmt("%s%s", prefix.c_str(), cname.c_str()); tag_enum_type->AddName(module, id.c_str(), - component->Tag().AsEnumVal()->InternalInt(), true); + component->Tag().AsEnumVal()->InternalInt(), true, + false); } } // namespace plugin diff --git a/src/scan.l b/src/scan.l index 0820567c30..ae11382fb3 100644 --- a/src/scan.l +++ b/src/scan.l @@ -260,6 +260,7 @@ when return TOK_WHEN; &create_expire return TOK_ATTR_EXPIRE_CREATE; &default return TOK_ATTR_DEFAULT; &delete_func return TOK_ATTR_DEL_FUNC; +&deprecated return TOK_ATTR_DEPRECATED; &raw_output return TOK_ATTR_RAW_OUTPUT; &encrypt return TOK_ATTR_ENCRYPT; &error_handler return TOK_ATTR_ERROR_HANDLER; diff --git a/src/strings.bif b/src/strings.bif index 4a30ca2aa4..84d6014cff 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -130,7 +130,7 @@ BroString* cat_string_array_n(TableVal* tbl, int start, int end) ## .. bro:see:: cat cat_sep string_cat cat_string_array_n ## fmt ## join_string_vec join_string_array -function cat_string_array%(a: string_array%): string +function cat_string_array%(a: string_array%): string &deprecated %{ TableVal* tbl = a->AsTableVal(); return new StringVal(cat_string_array_n(tbl, 1, a->AsTable()->Length())); @@ -149,7 +149,7 @@ function cat_string_array%(a: string_array%): string ## .. bro:see:: cat string_cat cat_string_array ## fmt ## join_string_vec join_string_array -function cat_string_array_n%(a: string_array, start: count, end: count%): string +function cat_string_array_n%(a: string_array, start: count, end: count%): string &deprecated %{ TableVal* tbl = a->AsTableVal(); return new StringVal(cat_string_array_n(tbl, start, end)); @@ -168,7 +168,7 @@ function cat_string_array_n%(a: string_array, start: count, end: count%): string ## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n ## fmt ## join_string_vec -function join_string_array%(sep: string, a: string_array%): string +function join_string_array%(sep: string, a: string_array%): string &deprecated %{ vector vs; TableVal* tbl = a->AsTableVal(); @@ -230,7 +230,7 @@ function join_string_vec%(vec: string_vec, sep: string%): string ## Returns: A sorted copy of *a*. ## ## .. bro:see:: sort -function sort_string_array%(a: string_array%): string_array +function sort_string_array%(a: string_array%): string_array &deprecated %{ TableVal* tbl = a->AsTableVal(); int n = a->AsTable()->Length(); @@ -338,6 +338,62 @@ static int match_prefix(int s_len, const char* s, int t_len, const char* t) return 1; } +VectorVal* do_split_string(StringVal* str_val, RE_Matcher* re, int incl_sep, + int max_num_sep) + { + VectorVal* rval = new VectorVal(new VectorType(base_type(TYPE_STRING))); + const u_char* s = str_val->Bytes(); + int n = str_val->Len(); + const u_char* end_of_s = s + n; + int num = 0; + int num_sep = 0; + + int offset = 0; + while ( n >= 0 ) + { + offset = 0; + // Find next match offset. + int end_of_match = 0; + while ( n > 0 && + (end_of_match = re->MatchPrefix(s + offset, n)) <= 0 ) + { + // Move on to next byte. + ++offset; + --n; + } + + if ( max_num_sep && num_sep >= max_num_sep ) + { + offset = end_of_s - s; + n=0; + } + + rval->Assign(num++, new StringVal(offset, (const char*) s)); + + // No more separators will be needed if this is the end of string. + if ( n <= 0 ) + break; + + if ( incl_sep ) + { // including the part that matches the pattern + rval->Assign(num++, new StringVal(end_of_match, (const char*) s+offset)); + } + + if ( max_num_sep && num_sep >= max_num_sep ) + break; + + ++num_sep; + + n -= end_of_match; + s += offset + end_of_match;; + + if ( s > end_of_s ) + reporter->InternalError("RegMatch in split goes beyond the string"); + } + + return rval; + } + Val* do_split(StringVal* str_val, RE_Matcher* re, int incl_sep, int max_num_sep) { TableVal* a = new TableVal(string_array); @@ -493,17 +549,33 @@ Val* do_sub(StringVal* str_val, RE_Matcher* re, StringVal* repl, int do_all) ## Returns: An array of strings where each element corresponds to a substring ## in *str* separated by *re*. ## -## .. bro:see:: split1 split_all split_n str_split +## .. bro:see:: split1 split_all split_n str_split split_string1 split_string_all split_string_n str_split ## ## .. note:: The returned table starts at index 1. Note that conceptually the ## return value is meant to be a vector and this might change in the ## future. ## -function split%(str: string, re: pattern%): string_array +function split%(str: string, re: pattern%): string_array &deprecated %{ return do_split(str, re, 0, 0); %} +## Splits a string into an array of strings according to a pattern. +## +## str: The string to split. +## +## re: The pattern describing the element separator in *str*. +## +## Returns: An array of strings where each element corresponds to a substring +## in *str* separated by *re*. +## +## .. bro:see:: split_string1 split_string_all split_string_n str_split +## +function split_string%(str: string, re: pattern%): string_vec + %{ + return do_split_string(str, re, 0, 0); + %} + ## Splits a string *once* into a two-element array of strings according to a ## pattern. This function is the same as :bro:id:`split`, but *str* is only ## split once (if possible) at the earliest position and an array of two strings @@ -518,12 +590,32 @@ function split%(str: string, re: pattern%): string_array ## second everything after *re*. An array of one string is returned ## when *s* cannot be split. ## -## .. bro:see:: split split_all split_n str_split -function split1%(str: string, re: pattern%): string_array +## .. bro:see:: split split_all split_n str_split split_string split_string_all split_string_n str_split +function split1%(str: string, re: pattern%): string_array &deprecated %{ return do_split(str, re, 0, 1); %} +## Splits a string *once* into a two-element array of strings according to a +## pattern. This function is the same as :bro:id:`split_string`, but *str* is +## only split once (if possible) at the earliest position and an array of two +## strings is returned. +## +## str: The string to split. +## +## re: The pattern describing the separator to split *str* in two pieces. +## +## Returns: An array of strings with two elements in which the first represents +## the substring in *str* up to the first occurence of *re*, and the +## second everything after *re*. An array of one string is returned +## when *s* cannot be split. +## +## .. bro:see:: split_string split_string_all split_string_n str_split +function split_string1%(str: string, re: pattern%): string_vec + %{ + return do_split_string(str, re, 0, 1); + %} + ## Splits a string into an array of strings according to a pattern. This ## function is the same as :bro:id:`split`, except that the separators are ## returned as well. For example, ``split_all("a-b--cd", /(\-)+/)`` returns @@ -538,12 +630,32 @@ function split1%(str: string, re: pattern%): string_array ## to a substring in *str* of the part not matching *re* (odd-indexed) ## and the part that matches *re* (even-indexed). ## -## .. bro:see:: split split1 split_n str_split -function split_all%(str: string, re: pattern%): string_array +## .. bro:see:: split split1 split_n str_split split_string split_string1 split_string_n str_split +function split_all%(str: string, re: pattern%): string_array &deprecated %{ return do_split(str, re, 1, 0); %} +## Splits a string into an array of strings according to a pattern. This +## function is the same as :bro:id:`split_string`, except that the separators +## are returned as well. For example, ``split_string_all("a-b--cd", /(\-)+/)`` +## returns ``{"a", "-", "b", "--", "cd"}``: odd-indexed elements do match the +## pattern and even-indexed ones do not. +## +## str: The string to split. +## +## re: The pattern describing the element separator in *str*. +## +## Returns: An array of strings where each two successive elements correspond +## to a substring in *str* of the part not matching *re* (even-indexed) +## and the part that matches *re* (odd-indexed). +## +## .. bro:see:: split_string split_string1 split_string_n str_split +function split_string_all%(str: string, re: pattern%): string_vec + %{ + return do_split_string(str, re, 1, 0); + %} + ## Splits a string a given number of times into an array of strings according ## to a pattern. This function is similar to :bro:id:`split1` and ## :bro:id:`split_all`, but with customizable behavior with respect to @@ -563,13 +675,39 @@ function split_all%(str: string, re: pattern%): string_array ## not matching *re* (odd-indexed) and the part that matches *re* ## (even-indexed). ## -## .. bro:see:: split split1 split_all str_split +## .. bro:see:: split split1 split_all str_split split_string split_string1 split_string_all str_split function split_n%(str: string, re: pattern, - incl_sep: bool, max_num_sep: count%): string_array + incl_sep: bool, max_num_sep: count%): string_array &deprecated %{ return do_split(str, re, incl_sep, max_num_sep); %} +## Splits a string a given number of times into an array of strings according +## to a pattern. This function is similar to :bro:id:`split_string1` and +## :bro:id:`split_string_all`, but with customizable behavior with respect to +## including separators in the result and the number of times to split. +## +## str: The string to split. +## +## re: The pattern describing the element separator in *str*. +## +## incl_sep: A flag indicating whether to include the separator matches in the +## result (as in :bro:id:`split_string_all`). +## +## max_num_sep: The number of times to split *str*. +## +## Returns: An array of strings where, if *incl_sep* is true, each two +## successive elements correspond to a substring in *str* of the part +## not matching *re* (event-indexed) and the part that matches *re* +## (odd-indexed). +## +## .. bro:see:: split_string split_string1 split_string_all str_split +function split_string_n%(str: string, re: pattern, + incl_sep: bool, max_num_sep: count%): string_vec + %{ + return do_split_string(str, re, incl_sep, max_num_sep); + %} + ## Substitutes a given replacement string for the first occurrence of a pattern ## in a given string. ## diff --git a/testing/btest/Baseline/bifs.split_string/out b/testing/btest/Baseline/bifs.split_string/out new file mode 100644 index 0000000000..0ec2541f3d --- /dev/null +++ b/testing/btest/Baseline/bifs.split_string/out @@ -0,0 +1,32 @@ +t +s is a t +t +--------------------- +t +s is a test +--------------------- +t +hi +s is a t +es +t +--------------------- +t +s is a test +--------------------- +t +hi +s is a test +--------------------- +[, thi, s i, s a tes, t] +--------------------- +X-Mailer +Testing Test (http://www.example.com) +--------------------- +A += + B += + C += + D diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output index 3b93ee757c..5e86c8d685 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output @@ -2,10 +2,10 @@ file_analysis_02.bro -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { print "new file", f$id; - if ( f?$mime_type && f$mime_type == "text/plain" ) + if ( mime_type == "text/plain" ) Files::add_analyzer(f, Files::ANALYZER_MD5); } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output index acae92f44b..b193e4a530 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output @@ -11,18 +11,15 @@ global mime_to_ext: table[string] of string = { ["text/html"] = "html", }; -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { if ( f$source != "HTTP" ) return; - if ( ! f?$mime_type ) + if ( mime_type !in mime_to_ext ) return; - if ( f$mime_type !in mime_to_ext ) - return; - - local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[f$mime_type]); + local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[mime_type]); print fmt("Extracting file %s", fname); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); - } + } \ No newline at end of file diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output index bcf6ccd309..03ba9cb3cd 100644 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output @@ -46,15 +46,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -70,6 +70,7 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); } diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output index be9619fa1c..55950caf6b 100644 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output +++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output @@ -9,15 +9,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -33,6 +33,6 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); - } diff --git a/testing/btest/Baseline/language.deprecated/out b/testing/btest/Baseline/language.deprecated/out new file mode 100644 index 0000000000..5bdf87a62b --- /dev/null +++ b/testing/btest/Baseline/language.deprecated/out @@ -0,0 +1,28 @@ +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 30: deprecated (ONE) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 31: deprecated (TWO) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 33: deprecated (GREEN) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 34: deprecated (BLUE) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 36: deprecated (blah) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 40: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 41: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 42: deprecated (my_hook) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 44: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 45: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 46: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 48: deprecated (my_record?$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 49: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 52: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 55: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 60: deprecated (my_hook) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 65: deprecated (blah) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 74: deprecated (dont_use_me) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 79: deprecated (dont_use_me_either) +ZERO +ONE +TWO +RED +GREEN +BLUE +generate my_hook please +generate my_event please +schedule my_event please diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index cf6cabda5e..927a64692f 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -129,37 +129,37 @@ 0.000000 MetaHookPost CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Cluster::LOG, [columns=, ev=])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Communication::LOG, [columns=, ev=])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Conn::LOG, [columns=, ev=Conn::log_conn])) -> @@ -191,7 +191,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Conn::LOG)) -> @@ -285,8 +285,8 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) -> -0.000000 MetaHookPost CallFunction(Log::write, (PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> @@ -319,8 +319,8 @@ 0.000000 MetaHookPost CallFunction(reading_live_traffic, ()) -> 0.000000 MetaHookPost CallFunction(reading_traces, ()) -> 0.000000 MetaHookPost CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -> -0.000000 MetaHookPost CallFunction(split1, (PacketFilter::LOG, <...>/)) -> -0.000000 MetaHookPost CallFunction(split_n, (PacketFilter, <...>/, T, 4)) -> +0.000000 MetaHookPost CallFunction(split_string1, (PacketFilter::LOG, <...>/)) -> +0.000000 MetaHookPost CallFunction(split_string_n, (PacketFilter, <...>/, T, 4)) -> 0.000000 MetaHookPost CallFunction(string_to_pattern, ((^\.?|\.)()$, F)) -> 0.000000 MetaHookPost CallFunction(sub, ((^\.?|\.)(~~)$, <...>/, )) -> 0.000000 MetaHookPost CallFunction(sub_bytes, (tFilter, 1, 1)) -> @@ -668,37 +668,37 @@ 0.000000 MetaHookPre CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Cluster::LOG, [columns=, ev=])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Communication::LOG, [columns=, ev=])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Conn::LOG, [columns=, ev=Conn::log_conn])) @@ -730,7 +730,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Conn::LOG)) @@ -824,8 +824,8 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) -0.000000 MetaHookPre CallFunction(Log::write, (PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Notice::want_pp, ()) 0.000000 MetaHookPre CallFunction(PacketFilter::build, ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) @@ -858,8 +858,8 @@ 0.000000 MetaHookPre CallFunction(reading_live_traffic, ()) 0.000000 MetaHookPre CallFunction(reading_traces, ()) 0.000000 MetaHookPre CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -0.000000 MetaHookPre CallFunction(split1, (PacketFilter::LOG, <...>/)) -0.000000 MetaHookPre CallFunction(split_n, (PacketFilter, <...>/, T, 4)) +0.000000 MetaHookPre CallFunction(split_string1, (PacketFilter::LOG, <...>/)) +0.000000 MetaHookPre CallFunction(split_string_n, (PacketFilter, <...>/, T, 4)) 0.000000 MetaHookPre CallFunction(string_to_pattern, ((^\.?|\.)()$, F)) 0.000000 MetaHookPre CallFunction(sub, ((^\.?|\.)(~~)$, <...>/, )) 0.000000 MetaHookPre CallFunction(sub_bytes, (tFilter, 1, 1)) @@ -1207,37 +1207,37 @@ 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) -0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=, ev=]) 0.000000 | HookCallFunction Log::__create_stream(Communication::LOG, [columns=, ev=]) 0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=, ev=Conn::log_conn]) @@ -1269,7 +1269,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1363,8 +1363,8 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Notice::want_pp() 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) @@ -1397,8 +1397,8 @@ 0.000000 | HookCallFunction reading_live_traffic() 0.000000 | HookCallFunction reading_traces() 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) -0.000000 | HookCallFunction split1(PacketFilter::LOG, <...>/) -0.000000 | HookCallFunction split_n(PacketFilter, <...>/, T, 4) +0.000000 | HookCallFunction split_string1(PacketFilter::LOG, <...>/) +0.000000 | HookCallFunction split_string_n(PacketFilter, <...>/, T, 4) 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F) 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, ) 0.000000 | HookCallFunction sub_bytes(tFilter, 1, 1) @@ -1486,7 +1486,7 @@ 1362692526.939527 MetaHookPost CallFunction(network_time, ()) -> 1362692526.939527 MetaHookPost CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], Analyzer::ANALYZER_HTTP, 3)) -> 1362692526.939527 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692526.939527 MetaHookPost CallFunction(split1, (bro.org, <...>/)) -> +1362692526.939527 MetaHookPost CallFunction(split_string1, (bro.org, <...>/)) -> 1362692526.939527 MetaHookPost DrainEvents() -> 1362692526.939527 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> false 1362692526.939527 MetaHookPost QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> false @@ -1523,7 +1523,7 @@ 1362692526.939527 MetaHookPre CallFunction(network_time, ()) 1362692526.939527 MetaHookPre CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], Analyzer::ANALYZER_HTTP, 3)) 1362692526.939527 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -1362692526.939527 MetaHookPre CallFunction(split1, (bro.org, <...>/)) +1362692526.939527 MetaHookPre CallFunction(split_string1, (bro.org, <...>/)) 1362692526.939527 MetaHookPre DrainEvents() 1362692526.939527 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) 1362692526.939527 MetaHookPre QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) @@ -1561,7 +1561,7 @@ 1362692526.939527 | HookCallFunction network_time() 1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], Analyzer::ANALYZER_HTTP, 3) 1362692526.939527 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80) -1362692526.939527 | HookCallFunction split1(bro.org, <...>/) +1362692526.939527 | HookCallFunction split_string1(bro.org, <...>/) 1362692526.939527 | HookDrainEvents 1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) 1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) @@ -1607,7 +1607,7 @@ 1362692527.009512 MetaHookPost CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) -> 1362692527.009512 MetaHookPost CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> 1362692527.009512 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009512 MetaHookPost CallFunction(split_all, (HTTP, <...>/)) -> +1362692527.009512 MetaHookPost CallFunction(split_string_all, (HTTP, <...>/)) -> 1362692527.009512 MetaHookPost DrainEvents() -> 1362692527.009512 MetaHookPost QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) -> false 1362692527.009512 MetaHookPost QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false @@ -1653,7 +1653,7 @@ 1362692527.009512 MetaHookPre CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) 1362692527.009512 MetaHookPre CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) 1362692527.009512 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009512 MetaHookPre CallFunction(split_all, (HTTP, <...>/)) +1362692527.009512 MetaHookPre CallFunction(split_string_all, (HTTP, <...>/)) 1362692527.009512 MetaHookPre DrainEvents() 1362692527.009512 MetaHookPre QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) 1362692527.009512 MetaHookPre QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -1700,7 +1700,7 @@ 1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK) 1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp]) 1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009512 | HookCallFunction split_all(HTTP, <...>/) +1362692527.009512 | HookCallFunction split_string_all(HTTP, <...>/) 1362692527.009512 | HookDrainEvents 1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=]) 1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -1750,10 +1750,10 @@ 1362692527.009775 MetaHookPost CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> 1362692527.009775 MetaHookPost CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> 1362692527.009775 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009775 MetaHookPost CallFunction(split1, (Files::LOG, <...>/)) -> -1362692527.009775 MetaHookPost CallFunction(split1, (HTTP::LOG, <...>/)) -> -1362692527.009775 MetaHookPost CallFunction(split_n, (Files, <...>/, T, 4)) -> -1362692527.009775 MetaHookPost CallFunction(split_n, (HTTP, <...>/, T, 4)) -> +1362692527.009775 MetaHookPost CallFunction(split_string1, (Files::LOG, <...>/)) -> +1362692527.009775 MetaHookPost CallFunction(split_string1, (HTTP::LOG, <...>/)) -> +1362692527.009775 MetaHookPost CallFunction(split_string_n, (Files, <...>/, T, 4)) -> +1362692527.009775 MetaHookPost CallFunction(split_string_n, (HTTP, <...>/, T, 4)) -> 1362692527.009775 MetaHookPost CallFunction(to_lower, (Files)) -> 1362692527.009775 MetaHookPost CallFunction(to_lower, (HTTP)) -> 1362692527.009775 MetaHookPost DrainEvents() -> @@ -1785,10 +1785,10 @@ 1362692527.009775 MetaHookPre CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) 1362692527.009775 MetaHookPre CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) 1362692527.009775 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009775 MetaHookPre CallFunction(split1, (Files::LOG, <...>/)) -1362692527.009775 MetaHookPre CallFunction(split1, (HTTP::LOG, <...>/)) -1362692527.009775 MetaHookPre CallFunction(split_n, (Files, <...>/, T, 4)) -1362692527.009775 MetaHookPre CallFunction(split_n, (HTTP, <...>/, T, 4)) +1362692527.009775 MetaHookPre CallFunction(split_string1, (Files::LOG, <...>/)) +1362692527.009775 MetaHookPre CallFunction(split_string1, (HTTP::LOG, <...>/)) +1362692527.009775 MetaHookPre CallFunction(split_string_n, (Files, <...>/, T, 4)) +1362692527.009775 MetaHookPre CallFunction(split_string_n, (HTTP, <...>/, T, 4)) 1362692527.009775 MetaHookPre CallFunction(to_lower, (Files)) 1362692527.009775 MetaHookPre CallFunction(to_lower, (HTTP)) 1362692527.009775 MetaHookPre DrainEvents() @@ -1821,10 +1821,10 @@ 1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]) 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp]) 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009775 | HookCallFunction split1(Files::LOG, <...>/) -1362692527.009775 | HookCallFunction split1(HTTP::LOG, <...>/) -1362692527.009775 | HookCallFunction split_n(Files, <...>/, T, 4) -1362692527.009775 | HookCallFunction split_n(HTTP, <...>/, T, 4) +1362692527.009775 | HookCallFunction split_string1(Files::LOG, <...>/) +1362692527.009775 | HookCallFunction split_string1(HTTP::LOG, <...>/) +1362692527.009775 | HookCallFunction split_string_n(Files, <...>/, T, 4) +1362692527.009775 | HookCallFunction split_string_n(HTTP, <...>/, T, 4) 1362692527.009775 | HookCallFunction to_lower(Files) 1362692527.009775 | HookCallFunction to_lower(HTTP) 1362692527.009775 | HookDrainEvents @@ -1879,8 +1879,8 @@ 1362692527.080972 MetaHookPost CallFunction(net_stats, ()) -> 1362692527.080972 MetaHookPost CallFunction(reading_traces, ()) -> 1362692527.080972 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.080972 MetaHookPost CallFunction(split1, (Conn::LOG, <...>/)) -> -1362692527.080972 MetaHookPost CallFunction(split_n, (Conn, <...>/, T, 4)) -> +1362692527.080972 MetaHookPost CallFunction(split_string1, (Conn::LOG, <...>/)) -> +1362692527.080972 MetaHookPost CallFunction(split_string_n, (Conn, <...>/, T, 4)) -> 1362692527.080972 MetaHookPost CallFunction(sub_bytes, (HTTP, 0, 1)) -> 1362692527.080972 MetaHookPost CallFunction(to_lower, (Conn)) -> 1362692527.080972 MetaHookPost CallFunction(to_lower, (HTTP)) -> @@ -1913,8 +1913,8 @@ 1362692527.080972 MetaHookPre CallFunction(net_stats, ()) 1362692527.080972 MetaHookPre CallFunction(reading_traces, ()) 1362692527.080972 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.080972 MetaHookPre CallFunction(split1, (Conn::LOG, <...>/)) -1362692527.080972 MetaHookPre CallFunction(split_n, (Conn, <...>/, T, 4)) +1362692527.080972 MetaHookPre CallFunction(split_string1, (Conn::LOG, <...>/)) +1362692527.080972 MetaHookPre CallFunction(split_string_n, (Conn, <...>/, T, 4)) 1362692527.080972 MetaHookPre CallFunction(sub_bytes, (HTTP, 0, 1)) 1362692527.080972 MetaHookPre CallFunction(to_lower, (Conn)) 1362692527.080972 MetaHookPre CallFunction(to_lower, (HTTP)) @@ -1948,8 +1948,8 @@ 1362692527.080972 | HookCallFunction net_stats() 1362692527.080972 | HookCallFunction reading_traces() 1362692527.080972 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80) -1362692527.080972 | HookCallFunction split1(Conn::LOG, <...>/) -1362692527.080972 | HookCallFunction split_n(Conn, <...>/, T, 4) +1362692527.080972 | HookCallFunction split_string1(Conn::LOG, <...>/) +1362692527.080972 | HookCallFunction split_string_n(Conn, <...>/, T, 4) 1362692527.080972 | HookCallFunction sub_bytes(HTTP, 0, 1) 1362692527.080972 | HookCallFunction to_lower(Conn) 1362692527.080972 | HookCallFunction to_lower(HTTP) diff --git a/testing/btest/Baseline/scripts.base.utils.addrs/output b/testing/btest/Baseline/scripts.base.utils.addrs/output index d93268a565..37afcb4719 100644 --- a/testing/btest/Baseline/scripts.base.utils.addrs/output +++ b/testing/btest/Baseline/scripts.base.utils.addrs/output @@ -30,14 +30,6 @@ T F F F -============ test find_ip_addresses() -{ -[0] = 1.1.1.1, -[2] = 3.3.3.3, -[1] = 2.2.2.2 -} -{ -[0] = 1.1.1.1, -[2] = 3.3.3.3, -[1] = 0:0:0:0:0:0:0:0 -} +============ test extract_ip_addresses() +[1.1.1.1, 2.2.2.2, 3.3.3.3] +[1.1.1.1, 0:0:0:0:0:0:0:0, 3.3.3.3] diff --git a/testing/btest/bifs/split_string.bro b/testing/btest/bifs/split_string.bro new file mode 100644 index 0000000000..e4d32b7f73 --- /dev/null +++ b/testing/btest/bifs/split_string.bro @@ -0,0 +1,36 @@ +# +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +function print_string_vector(v: string_vec) + { + for ( i in v ) + print v[i]; + } + +event bro_init() + { + local a = "this is a test"; + local pat = /hi|es/; + local idx = vector( 3, 6, 13); + + print_string_vector(split_string(a, pat)); + print "---------------------"; + print_string_vector(split_string1(a, pat)); + print "---------------------"; + print_string_vector(split_string_all(a, pat)); + print "---------------------"; + print_string_vector(split_string_n(a, pat, F, 1)); + print "---------------------"; + print_string_vector(split_string_n(a, pat, T, 1)); + print "---------------------"; + print str_split(a, idx); + print "---------------------"; + a = "X-Mailer: Testing Test (http://www.example.com)"; + pat = /:[[:blank:]]*/; + print_string_vector(split_string1(a, pat)); + print "---------------------"; + a = "A = B = C = D"; + pat = /=/; + print_string_vector(split_string_all(a, pat)); + } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest index 3b93ee757c..5e86c8d685 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest @@ -2,10 +2,10 @@ file_analysis_02.bro -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { print "new file", f$id; - if ( f?$mime_type && f$mime_type == "text/plain" ) + if ( mime_type == "text/plain" ) Files::add_analyzer(f, Files::ANALYZER_MD5); } diff --git a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest b/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest index acae92f44b..b193e4a530 100644 --- a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest @@ -11,18 +11,15 @@ global mime_to_ext: table[string] of string = { ["text/html"] = "html", }; -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { if ( f$source != "HTTP" ) return; - if ( ! f?$mime_type ) + if ( mime_type !in mime_to_ext ) return; - if ( f$mime_type !in mime_to_ext ) - return; - - local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[f$mime_type]); + local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[mime_type]); print fmt("Extracting file %s", fname); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); - } + } \ No newline at end of file diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest index bcf6ccd309..03ba9cb3cd 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest @@ -46,15 +46,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -70,6 +70,7 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); } diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest index be9619fa1c..55950caf6b 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest @@ -9,15 +9,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -33,6 +33,6 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); - } diff --git a/testing/btest/language/deprecated.bro b/testing/btest/language/deprecated.bro new file mode 100644 index 0000000000..ec9c3c9e1e --- /dev/null +++ b/testing/btest/language/deprecated.bro @@ -0,0 +1,80 @@ +# @TEST-EXEC: bro -b %INPUT >out 2>&1 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out + +type blah: string &deprecated; + +global my_event: event(arg: string) &deprecated; + +global my_hook: hook(arg: string) &deprecated; + +type my_record: record { + a: count &default = 1; + b: string &optional &deprecated; +}; + +type my_enum: enum { + RED, + GREEN &deprecated, + BLUE &deprecated +}; + +type my_other_enum: enum { + ZERO = 0, + ONE = 1 &deprecated, + TWO = 2 &deprecated +}; + +event bro_init() + { + print ZERO; + print ONE; + print TWO; + print RED; + print GREEN; + print BLUE; + + local l: blah = "testing"; + + local ls: string = " test"; + + event my_event("generate my_event please"); + schedule 1sec { my_event("schedule my_event please") }; + hook my_hook("generate my_hook please"); + + local mr = my_record($a = 3, $b = "yeah"); + mr = [$a = 4, $b = "ye"]; + mr = record($a = 5, $b = "y"); + + if ( ! mr?$b ) + mr$b = "nooooooo"; + + mr$a = 2; + mr$b = "noooo"; + } + +event my_event(arg: string) + { + print arg; + } + +hook my_hook(arg: string) + { + print arg; + } + +function hmm(b: blah) + { + print b; + } + +global dont_use_me: function() &deprecated; + +function dont_use_me() + { + dont_use_me(); + } + +function dont_use_me_either() &deprecated + { + dont_use_me_either(); + } diff --git a/testing/btest/scripts/base/utils/addrs.test b/testing/btest/scripts/base/utils/addrs.test index 08bce5f35f..224fd9dc62 100644 --- a/testing/btest/scripts/base/utils/addrs.test +++ b/testing/btest/scripts/base/utils/addrs.test @@ -1,8 +1,7 @@ -# @TEST-EXEC: bro %INPUT > output +# @TEST-EXEC: bro -b %INPUT > output # @TEST-EXEC: btest-diff output -# This is loaded by default -#@load base/utils/addrs +@load base/utils/addrs event bro_init() { @@ -98,8 +97,8 @@ event bro_init() ip = "2001:db8:0:0:0:FFFF:192.168.0.256"; print is_valid_ip(ip); - print "============ test find_ip_addresses()"; - print find_ip_addresses("this is 1.1.1.1 a test 2.2.2.2 string with ip addresses 3.3.3.3"); - print find_ip_addresses("this is 1.1.1.1 a test 0:0:0:0:0:0:0:0 string with ip addresses 3.3.3.3"); + print "============ test extract_ip_addresses()"; + print extract_ip_addresses("this is 1.1.1.1 a test 2.2.2.2 string with ip addresses 3.3.3.3"); + print extract_ip_addresses("this is 1.1.1.1 a test 0:0:0:0:0:0:0:0 string with ip addresses 3.3.3.3"); }