wordpress passive version/plugin tester

Given the breakneck patch cycle that wordpress and it's mighty army of
plugins goes through, I put together a quick bit of policy that will
look out for communications between the host and api.wordpress.com and
record all the relevant data. This can probably be improved, but it
seems a nice place to start.

Code can be found here:
https://github.com/set-element/misc-scripts/blob/master/wordpress.bro

Sample software.log output looks like:

nerscs-mbp:tmp scottc$ more software.log #separator \x09
#set_separator , #empty_field (empty) #unset_field - #path
software #open 2015-01-20-17-30-01 #fields ts host host_p
software_type name version.major version.minor
version.minor2 version.minor3 version.addl unparsed_version
#types time addr port enum string count count
count count string string 1421262142.829722 10.10.10160
42440 WP_PARSE::WEB_WORDPRESS_CORE Wordpress 3 4
1 - - 3.4.1 1421262142.829722 10.10.10160
42440 WP_PARSE::WEB_WORDPRESS_APP WP_PHP 5 3 3
- - 5.3.3 1421262142.829722 10.10.10160 42440
WP_PARSE::WEB_WORDPRESS_APP WP_MySQL 5 0 95
- - 5.0.95 1421262143.379851 10.10.10160 42441
WP_PARSE::WEB_WORDPRESS_PLUGIN Akismet 2 5 6 -
- 2.5.6 1421262143.379851 10.10.10160 42441
WP_PARSE::WEB_WORDPRESS_PLUGIN Contact+Form+Plugin 3 23
- - - 3.23 1421262143.379851 10.10.10160
42441 WP_PARSE::WEB_WORDPRESS_PLUGIN Custom+Meta+Widget 1
4 0 - - 1.4.0 1421262143.379851
10.10.10160 42441 WP_PARSE::WEB_WORDPRESS_PLUGIN Hello+Dolly
1 6 - - - 1.6 1421262143.379851
10.10.10160 42441 WP_PARSE::WEB_WORDPRESS_PLUGIN
Jetpack+by+WordPress.com 1 6 1 - -
1.6.1 1421262143.379851 10.10.10160 42441
WP_PARSE::WEB_WORDPRESS_PLUGIN papercite 0 5 5
- - 0.5.5 1421262143.379851 10.10.10160 42441
WP_PARSE::WEB_WORDPRESS_PLUGIN Revision+Control 2 1
- - - 2.1 1421262143.379851 10.10.10160
42441 WP_PARSE::WEB_WORDPRESS_PLUGIN Ultimate+TinyMCE 3
0 - - - 3.0 1421262143.379851
10.10.10160 42441 WP_PARSE::WEB_WORDPRESS_PLUGIN
WordPress+Importer 0 6 - - -
0.6 #close 2015-01-20-17-30-01

enjoy!
scott