From fcabd72b928dc067d2c99cc343ab066f4c2b7b40 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 17 Aug 2018 11:12:53 -0500
Subject: [PATCH] BIT-1815: move SMB::write_cmd_log functionality into policy/
 script

The option is removed, but same functionality is now enabled simply
by loading policy/protocols/smb/log-cmds.bro
---
 CHANGES                                     |  7 ++
 NEWS                                        |  4 +
 VERSION                                     |  2 +-
 scripts/base/protocols/smb/main.bro         | 20 -----
 scripts/base/protocols/smb/smb1-main.bro    | 30 +-------
 scripts/base/protocols/smb/smb2-main.bro    | 27 +++----
 scripts/policy/protocols/smb/log-cmds.bro   | 82 +++++++++++++++++++++
 scripts/test-all-policy.bro                 |  1 +
 testing/btest/Baseline/plugins.hooks/output | 32 ++------
 9 files changed, 115 insertions(+), 90 deletions(-)
 create mode 100644 scripts/policy/protocols/smb/log-cmds.bro

diff --git a/CHANGES b/CHANGES
index 4e8d2ada45..c51cd00bbf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,11 @@
 
+2.5-850 | 2018-08-17 11:12:53 -0500
+
+  * BIT-1815: move SMB::write_cmd_log functionality into policy/ script
+
+    The option is removed, but same functionality is now enabled simply
+    by loading policy/protocols/smb/log-cmds.bro (Jon Siwek, Corelight)
+
 2.5-849 | 2018-08-17 10:29:58 -0500
 
   * Fix possible race in netcontrol acld/broker plugins (Jon Siwek, Corelight)
diff --git a/NEWS b/NEWS
index 1809cd4bd6..e5f5b28054 100644
--- a/NEWS
+++ b/NEWS
@@ -384,6 +384,10 @@ Changed Functionality
 
   - smb1_transaction2_request now has an additional "args" record argument
 
+- The SMB::write_cmd_log option has been removed and the corresponding
+  logic moving to policy/protocols/smb/log-cmds.bro which can simply
+  be loaded to produce the same effect of toggling the old flag on.
+
 - SSL event argument changes:
 
   - event ssl_server_signature now has an additional argument
diff --git a/VERSION b/VERSION
index 0eef8063da..3e949de53a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-849
+2.5-850
diff --git a/scripts/base/protocols/smb/main.bro b/scripts/base/protocols/smb/main.bro
index a2226ded33..7e8969594d 100644
--- a/scripts/base/protocols/smb/main.bro
+++ b/scripts/base/protocols/smb/main.bro
@@ -6,7 +6,6 @@ module SMB;
 
 export {
 	redef enum Log::ID += { 
-		CMD_LOG,
 		AUTH_LOG,
 		MAPPING_LOG,
 		FILES_LOG
@@ -43,11 +42,6 @@ export {
 		PRINT_CLOSE,
 	} &redef;
 
-	## The server response statuses which are *not* logged.
-	const ignored_command_statuses: set[string] = {
-		"MORE_PROCESSING_REQUIRED",
-	} &redef;
-	
 	## This record is for the smb_files.log
 	type FileInfo: record {
 		## Time when the file was first discovered.
@@ -159,25 +153,12 @@ export {
 		recent_files : set[string] &default=string_set() &read_expire=3min;
 	};
 
-	## Optionally write out the SMB commands log.  This is 
-	## primarily useful for debugging so is disabled by default.
-	const write_cmd_log = F &redef;
-
 	## Everything below here is used internally in the SMB scripts.
 
 	redef record connection += {
 		smb_state : State &optional;
 	};
 	
-	## Internal use only.
-	## Some commands shouldn't be logged by the smb1_message event.
-	const deferred_logging_cmds: set[string] = {
-		"NEGOTIATE",
-		"READ_ANDX",
-		"SESSION_SETUP_ANDX",
-		"TREE_CONNECT_ANDX",
-	};
-
 	## This is an internally used function.
 	const set_current_file: function(smb_state: State, file_id: count) &redef;
 
@@ -198,7 +179,6 @@ redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
-	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
 	Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files"]);
 	Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping"]);
 
diff --git a/scripts/base/protocols/smb/smb1-main.bro b/scripts/base/protocols/smb/smb1-main.bro
index 6b23fe91db..44210e88f0 100644
--- a/scripts/base/protocols/smb/smb1-main.bro
+++ b/scripts/base/protocols/smb/smb1-main.bro
@@ -68,17 +68,10 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5
 
 event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
 	{
-	# Is this a response?
-	if ( !is_orig )
-		{
-		if ( SMB::write_cmd_log &&
-		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
-		     c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
-			{
-			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-			}
-		delete c$smb_state$pending_cmds[hdr$mid];
-		}
+	if ( is_orig )
+		return;
+
+	delete c$smb_state$pending_cmds[hdr$mid];
 	}
 
 
@@ -325,18 +318,3 @@ event smb_pipe_request(c: connection, hdr: SMB1::Header, op_num: count)
 
 	c$smb_state$current_cmd$argument = arg;
 	}
-
-event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool)
-	{
-	if ( ! is_orig )
-		{
-		# This is for deferred commands only.
-		# The more specific messages won't fire for errors
-		if ( SMB::write_cmd_log &&
-		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
-		     c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
-			{
-			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-			}
-		}
-	}
diff --git a/scripts/base/protocols/smb/smb2-main.bro b/scripts/base/protocols/smb/smb2-main.bro
index 2411502815..ab453f8829 100644
--- a/scripts/base/protocols/smb/smb2-main.bro
+++ b/scripts/base/protocols/smb/smb2-main.bro
@@ -65,25 +65,16 @@ event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=5
 
 event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=-5
 	{
-	# Is this a response?
-	if ( !is_orig )
-		{
-		# If the command that is being looked at right now was
-		# marked as PENDING, then we'll skip all of this and wait
-		# for a reply that isn't marked pending.
-		if ( c$smb_state$current_cmd$status == "PENDING" )
-			{
-			return;
-			}
+	if ( is_orig )
+		return;
 
-		if ( SMB::write_cmd_log &&
-		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
-		     c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
-			{
-			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-			}
-		delete c$smb_state$pending_cmds[hdr$message_id];
-		}
+	# If the command that is being looked at right now was
+	# marked as PENDING, then we'll skip all of this and wait
+	# for a reply that isn't marked pending.
+	if ( c$smb_state$current_cmd$status == "PENDING" )
+		return;
+
+	delete c$smb_state$pending_cmds[hdr$message_id];
 	}
 
 event smb2_negotiate_request(c: connection, hdr: SMB2::Header, dialects: index_vec) &priority=5
diff --git a/scripts/policy/protocols/smb/log-cmds.bro b/scripts/policy/protocols/smb/log-cmds.bro
new file mode 100644
index 0000000000..6890535c3b
--- /dev/null
+++ b/scripts/policy/protocols/smb/log-cmds.bro
@@ -0,0 +1,82 @@
+##! Load this script to generate an SMB command log, smb_cmd.log.
+##! This is primarily useful for debugging.
+
+@load base/protocols/smb
+
+module SMB;
+
+export {
+	redef enum Log::ID += {
+		CMD_LOG,
+	};
+
+	## The server response statuses which are *not* logged.
+	const ignored_command_statuses: set[string] = {
+		"MORE_PROCESSING_REQUIRED",
+	} &redef;
+}
+
+## Internal use only.
+## Some commands shouldn't be logged by the smb1_message event.
+const deferred_logging_cmds: set[string] = {
+	"NEGOTIATE",
+	"READ_ANDX",
+	"SESSION_SETUP_ANDX",
+	"TREE_CONNECT_ANDX",
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
+	}
+
+event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
+	{
+	if ( is_orig )
+		return;
+
+	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
+		return;
+	
+	if ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
+		return;
+
+	Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+	}
+
+event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool)
+	{
+	if ( is_orig )
+		return;
+
+	# This is for deferred commands only.
+	# The more specific messages won't fire for errors
+
+	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
+		return;
+
+	if ( c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
+		return;
+
+	Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+	}
+
+event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=-5
+	{
+	if ( is_orig )
+		return;
+
+	# If the command that is being looked at right now was
+	# marked as PENDING, then we'll skip all of this and wait
+	# for a reply that isn't marked pending.
+	if ( c$smb_state$current_cmd$status == "PENDING" )
+		return;
+
+	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
+		return;
+
+	if ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
+		return;
+
+	Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+	}
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index e0268a7c62..7bdd2d4997 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -80,6 +80,7 @@
 @load protocols/modbus/track-memmap.bro
 @load protocols/mysql/software.bro
 @load protocols/rdp/indicate_ssl.bro
+@load protocols/smb/log-cmds.bro
 @load protocols/smtp/blocklists.bro
 @load protocols/smtp/detect-suspicious-orig.bro
 @load protocols/smtp/entities-excerpt.bro
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 0fadde65a5..20e01df16f 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -213,7 +213,6 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_cmd, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -260,7 +259,6 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])) -> <no result>
@@ -276,7 +274,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -308,7 +306,6 @@
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (RFB::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Reporter::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SIP::LOG)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMB::CMD_LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMB::FILES_LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMB::MAPPING_LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMTP::LOG)) -> <no result>
@@ -355,7 +352,6 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -402,7 +398,6 @@
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMB::CMD_LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMB::FILES_LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMB::MAPPING_LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default)) -> <no result>
@@ -449,7 +444,6 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])) -> <no result>
@@ -465,7 +459,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -1042,7 +1036,6 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_cmd, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1089,7 +1082,6 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp]))
@@ -1105,7 +1097,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1137,7 +1129,6 @@
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (RFB::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Reporter::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SIP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMB::CMD_LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMB::FILES_LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMB::MAPPING_LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMTP::LOG))
@@ -1184,7 +1175,6 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1231,7 +1221,6 @@
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default))
-0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMB::CMD_LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMB::FILES_LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMB::MAPPING_LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default))
@@ -1278,7 +1267,6 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp]))
@@ -1294,7 +1282,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1870,7 +1858,6 @@
 0.000000 | HookCallFunction Log::__add_filter(RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::__add_filter(SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_cmd, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1917,7 +1904,6 @@
 0.000000 | HookCallFunction Log::__create_stream(RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])
 0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])
 0.000000 | HookCallFunction Log::__create_stream(SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])
-0.000000 | HookCallFunction Log::__create_stream(SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd])
 0.000000 | HookCallFunction Log::__create_stream(SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])
 0.000000 | HookCallFunction Log::__create_stream(SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])
 0.000000 | HookCallFunction Log::__create_stream(SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])
@@ -1933,7 +1919,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -1965,7 +1951,6 @@
 0.000000 | HookCallFunction Log::add_default_filter(RFB::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Reporter::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SIP::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(SMB::CMD_LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SMB::FILES_LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SMB::MAPPING_LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SMTP::LOG)
@@ -2012,7 +1997,6 @@
 0.000000 | HookCallFunction Log::add_filter(RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -2059,7 +2043,6 @@
 0.000000 | HookCallFunction Log::add_stream_filters(RFB::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(Reporter::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(SIP::LOG, default)
-0.000000 | HookCallFunction Log::add_stream_filters(SMB::CMD_LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(SMB::FILES_LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(SMB::MAPPING_LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(SMTP::LOG, default)
@@ -2106,7 +2089,6 @@
 0.000000 | HookCallFunction Log::create_stream(RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])
 0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])
 0.000000 | HookCallFunction Log::create_stream(SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])
-0.000000 | HookCallFunction Log::create_stream(SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd])
 0.000000 | HookCallFunction Log::create_stream(SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])
 0.000000 | HookCallFunction Log::create_stream(SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])
 0.000000 | HookCallFunction Log::create_stream(SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])
@@ -2122,7 +2104,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2480,7 +2462,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()