Updating CHANGES and VERSION.

* origin/topic/bbannier/bump-spicy:
  Bump pre-commit hooks
  Bump auxil/spicy to latest development snapshot

(cherry picked from commit cc59bfa5d8)

.pre-commit-config.yaml

@@ -19,7 +19,7 @@ repos:
     files: '^testing/btest/.*$'
 
 - repo: https://github.com/pre-commit/mirrors-clang-format
-  rev: v20.1.7
+  rev: v20.1.8
   hooks:
   - id: clang-format
     types_or:
@@ -28,13 +28,13 @@ repos:
       - "json"
 
 - repo: https://github.com/maxwinterstein/shfmt-py
-  rev: v3.11.0.2
+  rev: v3.12.0.1
   hooks:
     - id: shfmt
       args: ["-w", "-i", "4", "-ci"]
 
 - repo: https://github.com/astral-sh/ruff-pre-commit
-  rev: v0.12.1
+  rev: v0.12.8
   hooks:
     - id: ruff
       args: [--fix]
@@ -46,7 +46,7 @@ repos:
   - id: cmake-format
 
 - repo: https://github.com/crate-ci/typos
-  rev: v1.33.1
+  rev: v1.35.3
   hooks:
     - id: typos
       exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES|scripts/base/protocols/ssl/mozilla-ca-list.zeek)$'

.typos.toml

@@ -38,6 +38,7 @@ extend-ignore-re = [
     "\"BaR\"",
     "\"xFoObar\"",
     "\"FoO\"",
+    "Smoot",
 ]
 
 extend-ignore-identifiers-re = [

CHANGES

@@ -1,3 +1,57 @@
+8.0.0-rc2 | 2025-08-12 12:42:54 -0700
+
+  * Release 8.0.0-rc2.
+
+8.0.0-rc1.6 | 2025-08-12 12:41:33 -0700
+
+  * Bump pre-commit hooks (Benjamin Bannier, Corelight)
+
+    (cherry picked from commit cc59bfa5d8a3e9fddc5d65adee68e1937ea5eda7)
+
+  * Bump auxil/spicy to latest development snapshot (Benjamin Bannier, Corelight)
+
+    (cherry picked from commit cc59bfa5d8a3e9fddc5d65adee68e1937ea5eda7)
+
+  * Update docs submodule with 8.0.0-rc2 changes [nomail] [skip ci] (Tim Wojtulewicz, Corelight)
+
+8.0.0-rc1.4 | 2025-08-11 11:38:57 -0700
+
+  * smb2/read: Parse only 1 byte for data_offset, ignore reserved1 (Arne Welzel, Corelight)
+
+    A user provided a SMB2 pcap with the reserved1 field of a ReadResponse
+    set to 1 instead of 0. This confused the padding computation due to
+    including this byte into the offset. Properly split data_offset and
+    reserved1 into individual byte fields.
+
+    (cherry picked from commit 76289a8022d258f94c4cba003dfa657428a247b1)
+
+8.0.0-rc1.3 | 2025-08-11 11:35:42 -0700
+
+  * GH-4176: cluster: Add on_subscribe() and on_unsubscribe() hooks (Arne Welzel, Corelight)
+
+    (cherry picked from commit 13f613eb1d29895924ae516ad51ca7090acd231f)
+
+8.0.0-rc1.2 | 2025-08-11 11:33:46 -0700
+
+  * Add proto to analyzer.log (Johanna Amann, Corelight)
+
+    The analyzer.log file was missing the protocol field to distinguish
+    tcp/udp connections.
+
+    (cherry picked from commit 2f2f328a722c38c9d53aa3812e3b35724c7f9e9f)
+
+  * Update zeek-aux submodule with c++20 changes (Tim Wojtulewicz, Corelight)
+
+8.0.0-rc1 | 2025-08-04 09:39:08 -0700
+
+  * Release 8.0.0-rc1.
+
+8.0.0-dev.828 | 2025-08-04 09:38:55 -0700
+
+  * Compile contributors for Zeek 8.0 in the NEWS file (Christian Kreibich, Corelight)
+
+    (cherry picked from commit 4fdd83f3f50a0e4631cb8e08ac931cc37f4637a3)
+
 8.0.0-dev.827 | 2025-08-01 17:10:13 +0200
 
   * ci/windows: No ZeroMQ cluster backend (Arne Welzel, Corelight)

NEWS

@@ -6,7 +6,13 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file
 Zeek 8.0.0
 ==========
 
-We would like to thank Bhaskar Bhar (@bhaskarbhar) for their contributions to this
+We would like to thank @aidans111, Anthony Verez (@netantho), Baa (@Baa14453),
+Bhaskar Bhar (@bhaskarbhar), @dwhitemv25, EdKo (@ephikos), @edoardomich, Fupeng
+Zhao (@AmazingPP), hendrik.schwartke@os-s.de (@hendrikschwartke), @i2z1, Jan
+Grashöfer (@J-Gras) Jean-Samuel Marier, Justin Azoff (@JustinAzoff), Mario D
+(@mari0d), Markus Elfring (@elfring), Peter Cullen (@pbcullen), Sean Donaghy,
+Simeon Miteff (@simeonmiteff), Steve Smoot (@stevesmoot), @timo-mue,
+@wojciech-graj, and Xiaochuan Ye (@XueSongTap) for their contributions to this
 release.
 
 Breaking Changes
@@ -290,6 +296,10 @@ New Functionality
   ``get_net_stats()``, it's possible to determine the number of packets that have
   been received and accepted by Zeek, but eventually discarded without processing.
 
+- Two new hooks, ``Cluster::on_subscribe()`` and ``Cluster::on_unsubscribe()`` have
+  been added to allow observing ``Subscribe()`` and ``Unsubscribe()`` calls on
+  backends by Zeek scripts.
+
 Changed Functionality
 ---------------------
 

VERSION

@@ -1 +1 @@
-8.0.0-dev.827
+8.0.0-rc2

auxil/spicy

@@ -1 +1 @@
-Subproject commit 140e88c9a8e04eca801bbd891e085cc180eee43f
+Subproject commit cef9b56b5a77a3727036ecfe5f806f513bb1359e

auxil/zeek-aux

@@ -1 +1 @@
-Subproject commit 6c72725b184cc5fd7d12cea5084f0f51de3e82e3
+Subproject commit 6ff49f46d5714b894a1f10f8463941fbda3b9364

doc

@@ -1 +1 @@
-Subproject commit 1ce37d96e268134100fbc6793c0c64d48e162337
+Subproject commit 7b8c31b46b35b8143b431a333e1487d6a0427e7f

scripts/base/frameworks/analyzer/logging.zeek

@@ -23,8 +23,10 @@ export {
 		uid:            string            &log &optional;
 		## File UID if available.
 		fuid:           string            &log &optional;
-		## Connection identifier if available
+		## Connection identifier if available.
 		id:             conn_id           &log &optional;
+		## Transport protocol for the violation, if available.
+		proto:          transport_proto   &log &optional;
 		## Failure or violation reason, if available.
 		failure_reason: string            &log;
 		## Data causing failure or violation if available. Truncated
@@ -62,6 +64,7 @@ function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: Analyzer
 		{
 		rec$id = info$c$id;
 		rec$uid = info$c$uid;
+		rec$proto = get_port_transport_proto(info$c$id$orig_p);
 		}
 
 	if ( info?$f )

scripts/base/frameworks/cluster/main.zeek

@@ -401,6 +401,20 @@ export {
 		## The value of the X-Application-Name HTTP header, if any.
 		application_name: string &optional;
 	};
+
+	## A hook invoked for every :zeek:see:`Cluster::subscribe` call.
+	##
+	## Breaking from this hook has no effect.
+	##
+	## topic: The topic string as given to :zeek:see:`Cluster::subscribe`.
+	global on_subscribe: hook(topic: string);
+
+	## A hook invoked for every :zeek:see:`Cluster::subscribe` call.
+	##
+	## Breaking from this hook has no effect.
+	##
+	## topic: The topic string as given to :zeek:see:`Cluster::subscribe`.
+	global on_unsubscribe: hook(topic: string);
 }
 
 # Needs declaration of Cluster::Event type.

src/analyzer/protocol/smb/smb2-com-read.pac

@@ -93,10 +93,11 @@ type SMB2_read_request(header: SMB2_Header) = record {
 
 type SMB2_read_response(header: SMB2_Header) = record {
 	structure_size    : uint16;
-	data_offset       : uint16;
+	data_offset       : uint8;
+	reserved1         : uint8;
 	data_len          : uint32;
 	data_remaining    : uint32;
-	reserved          : uint32;
+	reserved2         : uint32;
 	pad               : padding to data_offset - header.head_length;
 	data              : bytestring &length=data_len;
 } &let {

src/cluster/Backend.cc

@@ -11,6 +11,7 @@
 #include "zeek/EventHandler.h"
 #include "zeek/EventRegistry.h"
 #include "zeek/Func.h"
+#include "zeek/ID.h"
 #include "zeek/Reporter.h"
 #include "zeek/Type.h"
 #include "zeek/Val.h"
@@ -139,6 +140,26 @@ std::optional<Event> Backend::MakeClusterEvent(FuncValPtr handler, ArgsSpan args
     return Event{eh, std::move(*checked_args), std::move(meta)};
 }
 
+bool Backend::Subscribe(const std::string& topic_prefix, SubscribeCallback cb) {
+    static const auto on_subscribe = zeek::id::find_func("Cluster::on_subscribe");
+    assert(on_subscribe && on_subscribe->Flavor() == FUNC_FLAVOR_HOOK);
+
+    if ( on_subscribe && on_subscribe->HasEnabledBodies() )
+        on_subscribe->Invoke(zeek::make_intrusive<zeek::StringVal>(topic_prefix));
+
+    return DoSubscribe(topic_prefix, std::move(cb));
+}
+
+bool Backend::Unsubscribe(const std::string& topic_prefix) {
+    static const auto on_unsubscribe = zeek::id::find_func("Cluster::on_unsubscribe");
+    assert(on_unsubscribe && on_unsubscribe->Flavor() == FUNC_FLAVOR_HOOK);
+
+    if ( on_unsubscribe->HasEnabledBodies() )
+        on_unsubscribe->Invoke(zeek::make_intrusive<zeek::StringVal>(topic_prefix));
+
+    return DoUnsubscribe(topic_prefix);
+}
+
 void Backend::DoReadyToPublishCallback(Backend::ReadyCallback cb) {
     Backend::ReadyCallbackInfo info{Backend::CallbackStatus::Success};
     cb(info);

src/cluster/Backend.h

@@ -59,7 +59,7 @@ public:
     bool ProcessEvent(std::string_view topic, cluster::Event e) { return DoProcessEvent(topic, std::move(e)); }
 
     /**
-     * Method for enquing backend specific events.
+     * Method for enqueuing backend specific events.
      *
      * Some backend's may raise events destined for the local
      * scripting layer. That's usually wanted, but not always.
@@ -210,9 +210,7 @@ public:
      * @param cb callback invoked when the subscription was processed.
      * @return true if it's a new event subscription and it is now registered.
      */
-    bool Subscribe(const std::string& topic_prefix, SubscribeCallback cb = SubscribeCallback()) {
+    bool Subscribe(const std::string& topic_prefix, SubscribeCallback cb = SubscribeCallback());
-        return DoSubscribe(topic_prefix, std::move(cb));
-    }
 
     /**
      * Unregister interest in messages on a certain topic.
@@ -220,7 +218,7 @@ public:
      * @param topic_prefix a prefix previously supplied to Subscribe()
      * @return true if interest in topic prefix is no longer advertised.
      */
-    bool Unsubscribe(const std::string& topic_prefix) { return DoUnsubscribe(topic_prefix); }
+    bool Unsubscribe(const std::string& topic_prefix);
 
     /**
      * Information passed to a ready callback.

testing/btest/Baseline.zam/cluster.websocket.listen-idempotent/.stderr

@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in <...>/main.zeek, line 677: Already listening on 127.0.0.1:<port> (Cluster::__listen_websocket(ws_opts_x))
+error in <...>/main.zeek, line 691: Already listening on 127.0.0.1:<port> (Cluster::__listen_websocket(ws_opts_x))
-error in <...>/main.zeek, line 677: Already listening on 127.0.0.1:<port> (Cluster::__listen_websocket(ws_opts_wss_port))
+error in <...>/main.zeek, line 691: Already listening on 127.0.0.1:<port> (Cluster::__listen_websocket(ws_opts_wss_port))
-error in <...>/main.zeek, line 677: Already listening on 127.0.0.1:<port> (Cluster::__listen_websocket(ws_opts_qs))
+error in <...>/main.zeek, line 691: Already listening on 127.0.0.1:<port> (Cluster::__listen_websocket(ws_opts_qs))
 received termination signal

testing/btest/Baseline.zam/cluster.websocket.tls-usage-error/.stderr

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in <...>/main.zeek, line 677: Invalid tls_options: No key_file field (Cluster::__listen_websocket(Cluster::options.0))
+error in <...>/main.zeek, line 691: Invalid tls_options: No key_file field (Cluster::__listen_websocket(Cluster::options.0))
-error in <...>/main.zeek, line 677: Invalid tls_options: No cert_file field (Cluster::__listen_websocket(Cluster::options.3))
+error in <...>/main.zeek, line 691: Invalid tls_options: No cert_file field (Cluster::__listen_websocket(Cluster::options.3))

testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stderr

@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stdout

@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+on_subscribe, zeek/supervisor
+on_subscribe, /my_topic
+on_unsubscribe, /my_topic
+on_unsubscribe, /my_topic
+on_subscribe, /my_topic2

testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	analyzer
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	failure_reason	failure_data
-#types	time	string	string	string	string	addr	port	addr	port	string	string
+#types	time	string	string	string	string	addr	port	addr	port	enum	string	string
-XXXXXXXXXX.XXXXXX	packet	GTPV1	CHhAvVGS1DHFjwGM9	-	173.86.159.28	2152	213.72.147.186	2152	Truncated GTPv1	-
+XXXXXXXXXX.XXXXXX	packet	GTPV1	CHhAvVGS1DHFjwGM9	-	173.86.159.28	2152	213.72.147.186	2152	udp	Truncated GTPv1	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	analyzer
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	failure_reason	failure_data
-#types	time	string	string	string	string	addr	port	addr	port	string	string
+#types	time	string	string	string	string	addr	port	addr	port	enum	string	string
-XXXXXXXXXX.XXXXXX	protocol	NTLM	CHhAvVGS1DHFjwGM9	-	192.168.0.173	1068	192.168.0.2	4997	NTLM AV Pair loop underflow	-
+XXXXXXXXXX.XXXXXX	protocol	NTLM	CHhAvVGS1DHFjwGM9	-	192.168.0.173	1068	192.168.0.2	4997	tcp	NTLM AV Pair loop underflow	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	analyzer
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	failure_reason	failure_data
-#types	time	string	string	string	string	addr	port	addr	port	string	string
+#types	time	string	string	string	string	addr	port	addr	port	enum	string	string
-XXXXXXXXXX.XXXXXX	protocol	NTLM	CHhAvVGS1DHFjwGM9	-	192.168.0.173	1068	192.168.0.2	4997	NTLM AV Pair loop underflow	-
+XXXXXXXXXX.XXXXXX	protocol	NTLM	CHhAvVGS1DHFjwGM9	-	192.168.0.173	1068	192.168.0.2	4997	tcp	NTLM AV Pair loop underflow	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	analyzer
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	failure_reason	failure_data
-#types	time	string	string	string	string	addr	port	addr	port	string	string
+#types	time	string	string	string	string	addr	port	addr	port	enum	string	string
-XXXXXXXXXX.XXXXXX	protocol	FTP	CHhAvVGS1DHFjwGM9	-	127.0.0.1	51354	127.0.0.1	21	non-numeric reply code	99 PASV invalid
+XXXXXXXXXX.XXXXXX	protocol	FTP	CHhAvVGS1DHFjwGM9	-	127.0.0.1	51354	127.0.0.1	21	tcp	non-numeric reply code	99 PASV invalid
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	analyzer
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	failure_reason	failure_data
-#types	time	string	string	string	string	addr	port	addr	port	string	string
+#types	time	string	string	string	string	addr	port	addr	port	enum	string	string
-XXXXXXXXXX.XXXXXX	protocol	FTP	CHhAvVGS1DHFjwGM9	-	127.0.0.1	51344	127.0.0.1	21	non-numeric reply code	SYST not supported
+XXXXXXXXXX.XXXXXX	protocol	FTP	CHhAvVGS1DHFjwGM9	-	127.0.0.1	51344	127.0.0.1	21	tcp	non-numeric reply code	SYST not supported
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	analyzer
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	failure_reason	failure_data
-#types	time	string	string	string	string	addr	port	addr	port	string	string
+#types	time	string	string	string	string	addr	port	addr	port	enum	string	string
-XXXXXXXXXX.XXXXXX	protocol	FTP	CHhAvVGS1DHFjwGM9	-	127.0.0.1	51346	127.0.0.1	21	invalid reply line	230_no_space
+XXXXXXXXXX.XXXXXX	protocol	FTP	CHhAvVGS1DHFjwGM9	-	127.0.0.1	51346	127.0.0.1	21	tcp	invalid reply line	230_no_space
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	analyzer
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	failure_reason	failure_data
-#types	time	string	string	string	string	addr	port	addr	port	string	string
+#types	time	string	string	string	string	addr	port	addr	port	enum	string	string
-XXXXXXXXXX.XXXXXX	protocol	HTTP	CHhAvVGS1DHFjwGM9	-	192.168.12.5	51792	192.0.78.212	80	not a http request line	-
+XXXXXXXXXX.XXXXXX	protocol	HTTP	CHhAvVGS1DHFjwGM9	-	192.168.12.5	51792	192.0.78.212	80	tcp	not a http request line	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	failure_reason	failure_data
-1673270800.189652	protocol	POSTGRESQL	CHhAvVGS1DHFjwGM9	-	127.0.0.1	54958	127.0.0.1	5432	error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...)	-
+1673270800.189652	protocol	POSTGRESQL	CHhAvVGS1DHFjwGM9	-	127.0.0.1	54958	127.0.0.1	5432	tcp	error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...)	-

testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-response-non-zero-reserved1/files.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	files
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid
+#types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string
+XXXXXXXXXX.XXXXXX	FmcSEk2dq4v0hewpM4	CHhAvVGS1DHFjwGM9	172.31.112.17	57829	172.31.112.16	445	SMB	0	(empty)	text/plain	Test.txt	0.000000	T	F	189	189	0	0	F	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	analyzer
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data	packet_segment
+#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	failure_reason	failure_data	packet_segment
-#types	time	string	string	string	string	addr	port	addr	port	string	string	string
+#types	time	string	string	string	string	addr	port	addr	port	enum	string	string	string
-XXXXXXXXXX.XXXXXX	protocol	FTP	CHhAvVGS1DHFjwGM9	-	2001:470:1f05:17a6:d69a:20ff:fefd:6b88	24316	2001:6a8:a40::21	21	non-numeric reply code	SSH-2.0-mod_sftp/0.9.7	\xd4\x9a \xfdk\x88\x00\x80\xc8\xb9\xc2\x06\x86\xdd`\x00\x00\x00\x00t\x067 \x01\x06\xa8\x0a@\x00\x00\x00\x00\x00\x00\x00\x00\x00! \x01\x04p\x1f\x05\x17\xa6\xd6\x9a \xff\xfe\xfdk\x88\x00\x15^\xfc\x1f]\xed\x1b\xa9\x9f`\xf1P\x18\x00\x09~n\x00\x00SSH-2.0-mod_sftp/0.9.7\x0d\x0a\x00\x00\x00D\x08\x01\x00\x00\x00\x0c\x00\x00\x00)Maximum connections for host/user reached\x00\x00\x00\x05en-USI\xf8\xb9C\xae\xcf`\xc4
+XXXXXXXXXX.XXXXXX	protocol	FTP	CHhAvVGS1DHFjwGM9	-	2001:470:1f05:17a6:d69a:20ff:fefd:6b88	24316	2001:6a8:a40::21	21	tcp	non-numeric reply code	SSH-2.0-mod_sftp/0.9.7	\xd4\x9a \xfdk\x88\x00\x80\xc8\xb9\xc2\x06\x86\xdd`\x00\x00\x00\x00t\x067 \x01\x06\xa8\x0a@\x00\x00\x00\x00\x00\x00\x00\x00\x00! \x01\x04p\x1f\x05\x17\xa6\xd6\x9a \xff\xfe\xfdk\x88\x00\x15^\xfc\x1f]\xed\x1b\xa9\x9f`\xf1P\x18\x00\x09~n\x00\x00SSH-2.0-mod_sftp/0.9.7\x0d\x0a\x00\x00\x00D\x08\x01\x00\x00\x00\x0c\x00\x00\x00)Maximum connections for host/user reached\x00\x00\x00\x05en-USI\xf8\xb9C\xae\xcf`\xc4
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/spicy.parse-error/analyzer.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	analyzer
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+#fields	ts	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	failure_reason	failure_data
-#types	time	string	string	string	string	addr	port	addr	port	string	string
+#types	time	string	string	string	string	addr	port	addr	port	enum	string	string
-XXXXXXXXXX.XXXXXX	protocol	SPICY_SSH	CHhAvVGS1DHFjwGM9	-	192.150.186.169	49244	131.159.14.23	22	failed to match regular expression (<...>/test.spicy:9:15-9:22)	SSH-2.0-OpenSSH_3.8.1p1\x0a
+XXXXXXXXXX.XXXXXX	protocol	SPICY_SSH	CHhAvVGS1DHFjwGM9	-	192.150.186.169	49244	131.159.14.23	22	tcp	failed to match regular expression (<...>/test.spicy:9:15-9:22)	SSH-2.0-OpenSSH_3.8.1p1\x0a
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Traces/README

@@ -53,3 +53,6 @@ Trace Index/Sources:
 - ldap/adduser1.pcap ldap/adduser1-ntlm.pcap
   Provided by Mohan-Dhawan on #4275
   https://github.com/zeek/zeek/issues/4275
+- smb_v2_only_non_zero_reserved1.pcap
+  Provided by @predator89090 on #4730
+  https://github.com/zeek/zeek/issues/4730

testing/btest/cluster/generic/on-subscribe-unsubscribe.zeek

@@ -0,0 +1,24 @@
+# @TEST-DOC: Cluster::on_subscribe and Cluster::on_unsubscribe hooks
+#
+# @TEST-EXEC: zeek --parse-only -b %INPUT
+# @TEST-EXEC: zeek -b %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stdout
+
+hook Cluster::on_subscribe(topic: string)
+	{
+	print "on_subscribe", topic;
+	}
+
+hook Cluster::on_unsubscribe(topic: string)
+	{
+	print "on_unsubscribe", topic;
+	}
+
+event zeek_init()
+	{
+	Cluster::subscribe("/my_topic");
+	Cluster::unsubscribe("/my_topic");
+	Cluster::unsubscribe("/my_topic");
+	Cluster::subscribe("/my_topic2");
+	}

testing/btest/scripts/base/protocols/smb/smb2-read-response-non-zero-reserved1.test

@@ -0,0 +1,9 @@
+# @TEST-DOC: Regression test for #4730, ReadResponse not parsed properly.
+#
+# @TEST-EXEC: zeek -b -C -r $TRACES/smb/smb_v2_only_non_zero_reserved1.pcap %INPUT
+# @TEST-EXEC: btest-diff files.log
+# @TEST-EXEC: test ! -f analyzer.log
+# @TEST-EXEC: test ! -f weird.log
+
+@load base/protocols/smb
+

testing/external/commit-hash.zeek-testing

@@ -1 +1 @@
-270d4b46fa1ab9f2951c2945937bdf739e864304
+6dafc6fd68d9821f33b7f8f4d7d4d877b5827ae3

testing/external/commit-hash.zeek-testing-private

@@ -1 +1 @@
-034c859753b435dc2a6368fa46ecf3e92c98d9da
+1edbd3ae959471e8573c9edc0374235727970710