Merge remote-tracking branch 'origin/master' into topic/johanna/hash-unification

CHANGES

@@ -1,4 +1,150 @@
 
+3.2.0-dev.473 | 2020-05-06 10:40:09 -0700
+
+  * Revert addition of final modifier to JSON formatter (Tim Wojtulewicz, Corelight)
+
+3.2.0-dev.471 | 2020-05-06 10:00:58 -0700
+
+  * Fix global buffer over-read in POP3 analyzer (Justin Azoff, Corelight)
+
+  * Fix SSL scripting error leading to access of unitialized field (Jon Siwek, Corelight)
+
+    Reported by Justin Azoff
+
+  * Remove outdated comment on set_to_regex. (Johanna Amann, Corelight)
+
+    We can add patterns at runtime since 2.6.
+
+3.2.0-dev.467 | 2020-05-04 18:00:35 -0700
+
+  * GH-952: Correct spelling of DCE/RPC operation string NetrLogonSameLogonWithFlags
+    (Jon Siwek, Corelight)
+
+3.2.0-dev.466 | 2020-05-04 17:50:14 -0700
+
+  * Add network_time_init() event. (Jan Grashoefer)
+
+    This event is generated upon first initialization of network_time.
+
+3.2.0-dev.461 | 2020-05-04 17:08:46 -0700
+
+  * Avoid scheduling multiple inactivity timers (Justin Azoff and Jon Siwek, Corelight)
+
+    Also updated language.expire_subnet btest which is unduly sensitive to
+    timer-related changes
+
+3.2.0-dev.459 | 2020-05-01 17:46:20 -0700
+
+  * Extend CI config to cover building with libmaxminddb support (Jon Siwek, Corelight)
+
+  * Ensure time continues moving forward if a pcap source is suspended (Tim Wojtulewicz, Corelight)
+
+3.2.0-dev.455 | 2020-05-01 09:44:30 -0700
+
+  * GH-938: fix IO loop iterations sometimes skipping offline pcap sources (Jon Siwek, Corelight)
+
+3.2.0-dev.451 | 2020-04-29 16:28:34 -0700
+
+  * Organized and added to the shipped file identification signatures. (Seth Hall, Corelight)
+
+     - Added ISO 9660 disk image
+
+     - Created new files for categorizing signatures better.
+       - executable.sig - Executable (and bytecode) files.
+       - java.sig - Java related files (class/jar, etc).
+       - programming.sig - Mostly scripting language identification
+
+3.2.0-dev.447 | 2020-04-29 15:55:03 -0700
+
+  * GH-713: Fixed misc/stats.zeek skipping a log entry on termination (Brittany Donowho)
+
+3.2.0-dev.445 | 2020-04-29 15:25:03 -0700
+
+  * Add warning message for unknown Broker statuses (Jon Siwek, Corelight)
+
+    There's now a couple placeholder/unimplemented status values in Broker
+    related to upcoming routing features that we don't want to handle
+    explicitly for compatibility reasons, but also don't want the compiler
+    warning about unhandled values in the switch.
+
+3.2.0-dev.443 | 2020-04-28 17:10:38 -0700
+
+  * GH-941: Fix build when configured to use libmaxminddb (Jon Siwek, Corelight)
+
+3.2.0-dev.441 | 2020-04-27 13:34:22 -0700
+
+  * Fix a few more IntrusivePtr deprecation warnings (Tim Wojtulewicz, Corelight)
+
+  * Fix cloning of TypeType values (Vern Paxson, Corelight)
+
+3.2.0-dev.437 | 2020-04-27 19:30:24 +0000
+
+  * GH-854: provide access to original HTTP/MIME header names
+
+    The "http_header" event now has an "original_name" parameter that allows
+    access to the original header name (the "name" parameter reamins the
+    same as before: it's the uppercased header name).
+
+    The "mime_header_rec" record type now also includes an "original_name"
+    field to similarly provide access to original header name in the
+    following events: "http_all_headers", "mime_one_header", and
+    "mime_all_headers". (Jon Siwek, Corelight)
+
+  * Remove error message from empty bloomfilter lookups
+
+    If a bloomfilter doesn't have a type, that just means no
+    bloomfilter_add() has been called yet, so seems undesirable to emit an
+    error for a lookup against something that's known to be empty. (Jon Siwek, Corelight)
+
+  * unused variables found via use-def analysis (plus an indentation micro-nit) (Vern Paxson, Corelight)
+
+3.2.0-dev.431 | 2020-04-27 12:09:30 -0700
+
+  * Update various BIFs to return IntrusivePtr (Jon Siwek, Corelight)
+
+3.2.0-dev.428 | 2020-04-24 16:19:45 -0700
+
+  * Deprecate returning Val* from BIFs (Jon Siwek, Corelight)
+
+  * Deprecate binpac::string_to_val (Jon Siwek, Corelight)
+
+  * Deprecate binpac::bytestring_to_val, replace with binpac::to_stringval (Jon Siwek, Corelight)
+
+  * Update deprecated BifEvent::generate_* usages (Jon Siwek, Corelight)
+
+  * Deprecate Connection::Event and Analyzer::Event methods
+
+    And update usages to the "EnqueueEvent" methods. (Jon Siwek, Corelight)
+
+  * Deprecate BuildConnVal() methods and update usages to ConnVal()
+
+    The later being a new method that returns IntrusivePtr (Jon Siwek, Corelight)
+
+  * Update all BIFs to return IntrusivePtr instead of Val* (Jon Siwek, Corelight)
+
+  * Update deprecated ValManager::GetPort usages (Jon Siwek, Corelight)
+
+  * Update deprecated ValManager::GetEmptyString usages (Jon Siwek, Corelight)
+
+  * Update deprecated ValManager::GetCount usages (Jon Siwek, Corelight)
+
+  * Update deprecated ValManager::GetInt usages (Jon Siwek, Corelight)
+
+  * Update deprecated ValManager::GetBool usages (Jon Siwek, Corelight)
+
+  * Update deprecated ValManager GetTrue/GetFalse usages (Jon Siwek, Corelight)
+
+  * Deprecate all ValManager "Get" methods
+
+    Alternate methods that return IntrusivePtr are available in similarly
+    named methods that omit the "Get" prefix. (Jon Siwek, Corelight)
+
+  * Change BIFs to return a wrapper object
+
+    That allows returning either Val* or IntrusivePtr<T>.  The former could
+    eventually be deprecated, but it's used extensively at the moment. (Jon Siwek, Corelight)
+
+
 3.2.0-dev.412 | 2020-04-22 10:43:39 -0700
 
   * Fix buffer over-read in Ident analyzer (Max Kellermann)

NEWS

@@ -37,6 +37,10 @@ New Functionality
   and ``udp_content_delivery_ports_orig`` options is determined. The current value
   keeps behavior as it was in previous versions of Zeek.
 
+- Add a file signature to identify ISO9660 disk images (application/x-iso9660-image)
+
+- Add file signature to identify Python bytecode (application/x-python-bytecode)
+
 Changed Functionality
 ---------------------
 
@@ -76,6 +80,12 @@ Changed Functionality
   raise this event (injecting connections via broccoli) was removed a while ago;
   the event handler served no purpose anymore.
 
+- Reorganize the file signatures to break them out into more groups.  This may
+  break scripts that had been explicitly loading any signature files that moved.
+
+- The DCE/RPC operation string of "NetrLogonSamLogonWithFlags" has been
+  corrected from "NetrLogonSameLogonWithFlags".
+
 Removed Functionality
 ---------------------
 
@@ -96,7 +106,7 @@ Deprecated Functionality
 - The ``EventMgr::QueueEvent()`` and EventMgr::QueueEventFast()`` methods
   are now deprecated, use ``EventMgr::Enqueue()`` instead.
 
-- The ``Connection::ConnectionEvent()`` and
+- The ``Connection::ConnectionEvent()``, ``Connection::Event()``, and
   ``Connection::ConnectionEventFast()`` methods are now deprecated, use
   ``Connection::EnqueueEvent()`` instead.
 
@@ -104,10 +114,25 @@ Deprecated Functionality
   arguments are now deprecated, use the overload that takes a ``zeek::Args``
   instead.
 
-- The ``analyzer::Analyzer::ConnectionEvent()`` and
+- The ``analyzer::Analyzer::ConnectionEvent()``, ``analyzer::Analyzer::Event``,
-  ``analyzer::Analyzer::ConectionEventFast()`` methods are deprecated, use
+  and ``analyzer::Analyzer::ConectionEventFast()`` methods are deprecated, use
   ``analyzer::Analyzer::EnqueueConnEvent()`` instead.
 
+- All ``val_mgr`` methods starting with "Get" are deprecated, use the new
+  ``val_mgr`` methods that return ``IntrusivePtr``.
+
+- ``Connection::BuildConnVal()`` is deprecated, use ``Connection::ConnVal()``.
+
+- ``Analyzer::BuildConnVal()`` is deprecated, use ``Analyzer::ConnVal()``.
+
+- ``BifEvent::generate_`` functions are deprecated, use ``BifEvent::enqueue_``.
+
+- ``binpac::bytestring_to_val()`` is deprecated, use ``binpac::to_stringval()``.
+
+- ``binpac::string_to_val()`` is deprecated, use ``StringVal`` constructor.
+
+- Returning ``Val*`` from BIFs is deprecated, return ``IntrusivePtr`` instead.
+
 Zeek 3.1.0
 ==========
 

VERSION

@@ -1 +1 @@
-3.2.0-dev.412
+3.2.0-dev.473

aux/bifcl

@@ -1 +1 @@
-Subproject commit 66b4b30305237f48535276a00a52ca304659400b
+Subproject commit e17abfe8cd478fe90500a44c2081f4f97aade897

aux/binpac

@@ -1 +1 @@
-Subproject commit 60681f1a7dca89f71c4f4ca4f7424bf0484f4ee0
+Subproject commit e1de4da6b3aee300d0a034ef90d59b7adc3efe34

aux/broker

@@ -1 +1 @@
-Subproject commit 6ea6728218085732ebea5044fdce5b0bf5b052c5
+Subproject commit 8b2c9a9e1e67d145af442fa2175dcb18b643a317

aux/btest

@@ -1 +1 @@
-Subproject commit 87896050d7ac189f0e063bb90c3fa37a6c977f83
+Subproject commit 0528e8bc8e6e0108ec2f752896b2aa8b5dd949dd

aux/zeek-aux

@@ -1 +1 @@
-Subproject commit a98acb8f80390bbb89f33df483eac8f6b4b6e05d
+Subproject commit be04ea0e7b2b265d65b1fac5b644ce646603bdf2

aux/zeekctl

@@ -1 +1 @@
-Subproject commit 7e65a34905ec9684c442da5f737fe75beb94aae6
+Subproject commit 1f6290b2b05af07034354ea7621a99f708081fae

ci/ubuntu-18.04/Dockerfile

@@ -15,6 +15,7 @@ RUN apt-get update && apt-get -y install \
     python3-pip\
     swig \
     zlib1g-dev \
+    libmaxminddb-dev \
     libkrb5-dev \
     bsdmainutils \
     sqlite3 \

cmake

@@ -1 +1 @@
-Subproject commit 861e37c50410b37d08687a691d5868bfff9694dd
+Subproject commit d85153d8e0e62fbd6f1125c498b2741f4bc987dc

doc

@@ -1 +1 @@
-Subproject commit 7b59ef1ab823a77dff78991b6a8808be5ba9072d
+Subproject commit 850c5bea8787c315cddc9079a29a17d89db055ec

scripts/base/frameworks/cluster/setup-connections.zeek

@@ -28,7 +28,6 @@ function connect_peer(node_type: NodeType, node_name: string)
 
 function connect_peers_with_type(node_type: NodeType)
 	{
-	local rval: vector of NamedNode = vector();
 	local nn = nodes_with_type(node_type);
 
 	for ( i in nn )

scripts/base/frameworks/files/magic/__load__.zeek

@@ -1,9 +1,12 @@
 @load-sigs ./archive
 @load-sigs ./audio
+@load-sigs ./executable
 @load-sigs ./font
 @load-sigs ./general
 @load-sigs ./image
-@load-sigs ./msoffice
+@load-sigs ./java
+@load-sigs ./office
+@load-sigs ./programming
 @load-sigs ./video
 
 @load-sigs ./libmagic

scripts/base/frameworks/files/magic/archive.sig

@@ -49,11 +49,17 @@ signature file-xar {
 }
 
 # RPM
-signature file-magic-auto352 {
+signature file-rpm {
 	file-mime "application/x-rpm", 70
 	file-magic /^(drpm|\xed\xab\xee\xdb)/
 }
 
+# Debian Binary Package
+signature file-deb {
+	file-mime "application/x-debian-package", 171
+	file-magic /\x21\x3carch\x3e\x0adebian/
+}
+
 # StuffIt
 signature file-stuffit {
 	file-mime "application/x-stuffit", 70
@@ -179,3 +185,9 @@ signature file-ace-archive {
     file-mime "application/x-ace", 100
     file-magic /^.{7}\*\*ACE\*\*/
 }
+
+# Bzip2 archive file.
+signature file-bzip2 {
+	file-mime "application/x-bzip2", 60
+	file-magic /^BZh/
+}

scripts/base/frameworks/files/magic/executable.sig

@@ -0,0 +1,106 @@
+# Portable Executable
+signature file-pe {
+	file-mime "application/x-dosexec", 51
+	file-magic /MZ/
+}
+
+signature file-elf-object {
+	file-mime "application/x-object", 50
+	file-magic /\x7fELF[\x01\x02](\x01.{10}\x01\x00|\x02.{10}\x00\x01)/
+}
+
+signature file-elf {
+	file-mime "application/x-executable", 50
+	file-magic /\x7fELF[\x01\x02](\x01.{10}\x02\x00|\x02.{10}\x00\x02)/
+}
+
+signature file-elf-sharedlib {
+	file-mime "application/x-sharedlib", 50
+	file-magic /\x7fELF[\x01\x02](\x01.{10}\x03\x00|\x02.{10}\x00\x03)/
+}
+
+signature file-elf-coredump {
+	file-mime "application/x-coredump", 50
+	file-magic /\x7fELF[\x01\x02](\x01.{10}\x04\x00|\x02.{10}\x00\x04)/
+}
+
+# Mac OS X Mach-O executable
+signature file-mach-o {
+	file-magic /^[\xce\xcf]\xfa\xed\xfe/
+	file-mime "application/x-mach-o-executable", 100
+}
+
+# Mac OS X Universal Mach-O executable
+signature file-mach-o-universal {
+	file-magic /^\xca\xfe\xba\xbe..\x00[\x01-\x14]/
+	file-mime "application/x-mach-o-executable", 100
+}
+
+# Emacs/XEmacs byte-compiled Lisp
+signature file-elc {
+	file-mime "application/x-elc", 10
+	file-magic /\x3bELC[\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff]/
+}
+
+# Python 1 bytecode
+signature file-pyc-1 {
+	file-magic /^(\xfc\xc4|\x99\x4e)\x0d\x0a/
+	file-mime "application/x-python-bytecode", 80
+}
+
+# Python 2 bytecode
+signature file-pyc-2 {
+	file-magic /^(\x87\xc6|[\x2a\x2d]\xed|[\x3b\x45\x59\x63\x6d\x77\x81\x8b\x8c\x95\x9f\xa9\xb3\xc7\xd1\xdb\xe5\xef\xf9]\xf2|\x03\xf3)\x0d\x0a/
+	file-mime "application/x-python-bytecode", 80
+}
+
+# Python 3.0 bytecode
+signature file-pyc-3-0 {
+	file-magic /^([\xb8\xc2\xcc\xd6\xe0\xea\xf4\xf5\xff]\x0b|[\x09\x13\x1d\x1f\x27\x3b]\x0c)\x0d\x0a/
+	file-mime "application/x-python-bytecode", 80
+}
+
+
+# Python 3.1 bytecode
+signature file-pyc-3-1 {
+	file-magic /^[\x45\x4f]\x0c\x0d\x0a/
+	file-mime "application/x-python-bytecode", 80
+}
+
+
+# Python 3.2 bytecode
+signature file-pyc-3-2 {
+	file-magic /^[\x58\x62\x6c]\x0c\x0d\x0a/
+	file-mime "application/x-python-bytecode", 80
+}
+
+# Python 3.3 bytecode
+signature file-pyc-3-3 {
+	file-magic /^[\x76\x80\x94\x9e]\x0c\x0d\x0a/
+	file-mime "application/x-python-bytecode", 80
+}
+
+
+# Python 3.4 bytecode
+signature file-pyc-3-4 {
+	file-magic /^[\xb2\xcc\xc6\xd0\xda\xe4\xee]\x0c\x0d\x0a/
+	file-mime "application/x-python-bytecode", 80
+}
+
+# Python 3.5 bytecode
+signature file-pyc-3-5 {
+	file-magic /^(\xf8\x0c|[\x02\x0c\x16\x17]\x0d)\x0d\x0a/
+	file-mime "application/x-python-bytecode", 80
+}
+
+# Python 3.6 bytecode
+signature file-pyc-3-6 {
+	file-magic /^[\x20\x21\x2a-\x2d\x2f-\x33]\x0d\x0d\x0a/
+	file-mime "application/x-python-bytecode", 80
+}
+
+# Python 3.7 bytecode
+signature file-pyc-3-7 {
+	file-magic /^[\x3e-\x42]\x0d\x0d\x0a/
+	file-mime "application/x-python-bytecode", 80
+}

scripts/base/frameworks/files/magic/general.sig

@@ -131,16 +131,6 @@ signature file-afpinfo {
 	file-magic /^AFP/
 }
 
-signature file-jar {
-	file-mime "application/java-archive", 100
-	file-magic /^PK\x03\x04.{1,200}\x14\x00..META-INF\/MANIFEST\.MF/
-}
-
-signature file-java-applet {
-	file-mime "application/x-java-applet", 71
-	file-magic /^\xca\xfe\xba\xbe...[\x2d-\x34]/
-}
-
 # OCSP requests over HTTP.
 signature file-ocsp-request {
 	file-magic /^.{11,19}\x06\x05\x2b\x0e\x03\x02\x1a/
@@ -165,18 +155,6 @@ signature file-tnef {
 	file-mime "application/vnd.ms-tnef", 100
 }
 
-# Mac OS X Mach-O executable
-signature file-mach-o {
-	file-magic /^[\xce\xcf]\xfa\xed\xfe/
-	file-mime "application/x-mach-o-executable", 100
-}
-
-# Mac OS X Universal Mach-O executable
-signature file-mach-o-universal {
-	file-magic /^\xca\xfe\xba\xbe..\x00[\x01-\x14]/
-	file-mime "application/x-mach-o-executable", 100
-}
-
 signature file-pkcs7 {
 	file-magic /^MIME-Version:.*protocol=\"application\/pkcs7-signature\"/
 	file-mime "application/pkcs7-signature", 100
@@ -188,12 +166,6 @@ signature file-pem {
 	file-mime "application/x-pem"
 }
 
-# Java Web Start file.
-signature file-jnlp {
-	file-magic /^\<jnlp\x20/
-	file-mime "application/x-java-jnlp-file", 100
-}
-
 signature file-pcap {
 	file-magic /^(\xa1\xb2\xc3\xd4|\xd4\xc3\xb2\xa1)/
 	file-mime "application/vnd.tcpdump.pcap", 70
@@ -204,82 +176,6 @@ signature file-pcap-ng {
 	file-mime "application/vnd.tcpdump.pcap", 100
 }
 
-signature file-shellscript {
-	file-mime "text/x-shellscript", 250
-	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(ba|tc|c|z|fa|ae|k)?sh/
-}
-
-signature file-perl {
-	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?perl/
-	file-mime "text/x-perl", 60
-}
-
-signature file-ruby {
-	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?ruby/
-	file-mime "text/x-ruby", 60
-}
-
-signature file-python {
-	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?python/
-	file-mime "text/x-python", 60
-}
-
-signature file-awk {
-	file-mime "text/x-awk", 60
-	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(g|n)?awk/
-}
-
-signature file-tcl {
-	file-mime "text/x-tcl", 60
-	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(wish|tcl)/
-}
-
-signature file-lua {
-	file-mime "text/x-lua", 49
-	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?lua/
-}
-
-signature file-javascript {
-	file-mime "application/javascript", 60
-	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?node(js)?/
-}
-
-signature file-javascript2 {
-	file-mime "application/javascript", 60
-	file-magic /^[\x0d\x0a[:blank:]]*<[sS][cC][rR][iI][pP][tT][[:blank:]]+([tT][yY][pP][eE]|[lL][aA][nN][gG][uU][aA][gG][eE])=['"]?([tT][eE][xX][tT]\/)?[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
-}
-
-signature file-javascript3 {
-	file-mime "application/javascript", 60
-	# This seems to be a somewhat common idiom in javascript.
-	file-magic /^[\x0d\x0a[:blank:]]*for \(;;\);/
-}
-
-signature file-javascript4 {
-	file-mime "application/javascript", 60
-	file-magic /^[\x0d\x0a[:blank:]]*document\.write(ln)?[:blank:]?\(/
-}
-
-signature file-javascript5 {
-	file-mime "application/javascript", 60
-	file-magic /^\(function\(\)[[:blank:]\n]*\{/
-}
-
-signature file-javascript6 {
-	file-mime "application/javascript", 60
-	file-magic /^[\x0d\x0a[:blank:]]*<script>[\x0d\x0a[:blank:]]*(var|function) /
-}
-
-signature file-php {
-	file-mime "text/x-php", 60
-	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?php/
-}
-
-signature file-php2 {
-	file-magic /^.*<\?php/
-	file-mime "text/x-php", 40
-}
-
 # Stereolithography ASCII format
 signature file-stl-ascii {
 	file-magic /^solid\x20/
@@ -390,26 +286,6 @@ signature file-msqm {
 	file-magic /^MSQM/
 }
 
-signature file-elf-object {
-	file-mime "application/x-object", 50
-	file-magic /\x7fELF[\x01\x02](\x01.{10}\x01\x00|\x02.{10}\x00\x01)/
-}
-
-signature file-elf {
-	file-mime "application/x-executable", 50
-	file-magic /\x7fELF[\x01\x02](\x01.{10}\x02\x00|\x02.{10}\x00\x02)/
-}
-
-signature file-elf-sharedlib {
-	file-mime "application/x-sharedlib", 50
-	file-magic /\x7fELF[\x01\x02](\x01.{10}\x03\x00|\x02.{10}\x00\x03)/
-}
-
-signature file-elf-coredump {
-	file-mime "application/x-coredump", 50
-	file-magic /\x7fELF[\x01\x02](\x01.{10}\x04\x00|\x02.{10}\x00\x04)/
-}
-
 signature file-vim-tmp {
 	file-mime "application/x-vim-tmp", 100
 	file-magic /^b0VIM/
@@ -420,3 +296,10 @@ signature file-windows-minidump {
     file-mime "application/x-windows-minidump", 50
     file-magic /^MDMP/
 }
+
+# ISO 9660 disk image
+signature file-iso9660 {
+        file-mime "application/x-iso9660-image", 99
+        file-magic /CD001/
+}
+

scripts/base/frameworks/files/magic/java.sig

@@ -0,0 +1,31 @@
+signature file-jar {
+	file-mime "application/java-archive", 100
+	file-magic /^PK\x03\x04.{1,200}\x14\x00..META-INF\/MANIFEST\.MF/
+}
+
+signature file-java-applet {
+	file-mime "application/x-java-applet", 71
+	file-magic /^\xca\xfe\xba\xbe...[\x2d-\x34]/
+}
+
+# JAR compressed with pack200
+signature file-jar-pack200 {
+	file-mime "application/x-java-pack200", 1
+	file-magic /^\xca\xfe\xd0\x0d./
+}
+
+# Java Web Start file.
+signature file-jnlp {
+	file-magic /^\<jnlp\x20/
+	file-mime "application/x-java-jnlp-file", 100
+}
+
+signature file-java-keystore {
+	file-mime "application/x-java-keystore", 70
+	file-magic /^\xfe\xed\xfe\xed/
+}
+
+signature file-java-jce-keystore {
+	file-mime "application/x-java-jce-keystore", 70
+	file-magic /^\xce\xce\xce\xce/
+}

scripts/base/frameworks/files/magic/libmagic.sig

@@ -155,12 +155,6 @@ signature file-magic-auto53 {
 	file-magic /(MAS\x5fUTrack\x5fV00)(\x2f0)/
 }
 
-# >0  string,=!<arch>\ndebian (len=14), [""], swap_endian=0
-signature file-magic-auto54 {
-	file-mime "application/x-debian-package", 171
-	file-magic /(\x21\x3carch\x3e\x0adebian)/
-}
-
 # >0  string,=II\032\000\000\000HEAPCCDR (len=14), ["Canon CIFF raw image data"], swap_endian=0
 signature file-magic-auto55 {
 	file-mime "image/x-canon-crw", 170
@@ -609,12 +603,6 @@ signature file-magic-auto203 {
 #	file-magic /(.{512})(.{4})(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4])(.{490})([\xff])(.{1037})(\x00\x00\x00\x00\x00\x00\x00\x00)(.*)(.{8})/
 #}
 
-# >0  string,=;ELC (len=4), [""], swap_endian=0
-# >>4  byte&,<0x20, ["Emacs/XEmacs v%d byte-compiled Lisp data"], swap_endian=0
-signature file-magic-auto223 {
-	file-mime "application/x-elc", 10
-	file-magic /(\x3bELC)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
-}
 
 # >0  string,=PK\003\004 (len=4), [""], swap_endian=0
 # >>4  byte&,=0x14, [""], swap_endian=0
@@ -640,174 +628,6 @@ signature file-magic-auto226 {
 #	file-magic /(.{4})(.{7})(.{2})(.*)(.{2})(.*)(.{2})(.{8})([\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.{32})(FAT16)(.{4})/
 #}
 
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=text (len=4), [""], swap_endian=0
-# >>>>>77  byte&,!0x2d, ["Text"], swap_endian=0
-signature file-magic-auto228 {
-	file-mime "application/vnd.oasis.opendocument.text", 110
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=text (len=4), [""], swap_endian=0
-# >>>>>77  string,=-template (len=9), ["Text Template"], swap_endian=0
-signature file-magic-auto229 {
-	file-mime "application/vnd.oasis.opendocument.text-template", 120
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dtemplate)/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=text (len=4), [""], swap_endian=0
-# >>>>>77  string,=-web (len=4), ["HTML Document Template"], swap_endian=0
-signature file-magic-auto230 {
-	file-mime "application/vnd.oasis.opendocument.text-web", 70
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dweb)/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=text (len=4), [""], swap_endian=0
-# >>>>>77  string,=-master (len=7), ["Master Document"], swap_endian=0
-signature file-magic-auto231 {
-	file-mime "application/vnd.oasis.opendocument.text-master", 100
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dmaster)/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=graphics (len=8), [""], swap_endian=0
-# >>>>>81  byte&,!0x2d, ["Drawing"], swap_endian=0
-signature file-magic-auto232 {
-	file-mime "application/vnd.oasis.opendocument.graphics", 110
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(graphics)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=graphics (len=8), [""], swap_endian=0
-# >>>>>81  string,=-template (len=9), ["Template"], swap_endian=0
-signature file-magic-auto233 {
-	file-mime "application/vnd.oasis.opendocument.graphics-template", 120
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(graphics)(\x2dtemplate)/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=presentation (len=12), [""], swap_endian=0
-# >>>>>85  byte&,!0x2d, ["Presentation"], swap_endian=0
-signature file-magic-auto234 {
-	file-mime "application/vnd.oasis.opendocument.presentation", 110
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(presentation)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=presentation (len=12), [""], swap_endian=0
-# >>>>>85  string,=-template (len=9), ["Template"], swap_endian=0
-signature file-magic-auto235 {
-	file-mime "application/vnd.oasis.opendocument.presentation-template", 120
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(presentation)(\x2dtemplate)/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=spreadsheet (len=11), [""], swap_endian=0
-# >>>>>84  byte&,!0x2d, ["Spreadsheet"], swap_endian=0
-signature file-magic-auto236 {
-	file-mime "application/vnd.oasis.opendocument.spreadsheet", 110
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(spreadsheet)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=spreadsheet (len=11), [""], swap_endian=0
-# >>>>>84  string,=-template (len=9), ["Template"], swap_endian=0
-signature file-magic-auto237 {
-	file-mime "application/vnd.oasis.opendocument.spreadsheet-template", 120
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(spreadsheet)(\x2dtemplate)/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=chart (len=5), [""], swap_endian=0
-# >>>>>78  byte&,!0x2d, ["Chart"], swap_endian=0
-signature file-magic-auto238 {
-	file-mime "application/vnd.oasis.opendocument.chart", 110
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(chart)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=chart (len=5), [""], swap_endian=0
-# >>>>>78  string,=-template (len=9), ["Template"], swap_endian=0
-signature file-magic-auto239 {
-	file-mime "application/vnd.oasis.opendocument.chart-template", 120
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(chart)(\x2dtemplate)/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=formula (len=7), [""], swap_endian=0
-# >>>>>80  byte&,!0x2d, ["Formula"], swap_endian=0
-signature file-magic-auto240 {
-	file-mime "application/vnd.oasis.opendocument.formula", 1110
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(formula)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=formula (len=7), [""], swap_endian=0
-# >>>>>80  string,=-template (len=9), ["Template"], swap_endian=0
-signature file-magic-auto241 {
-	file-mime "application/vnd.oasis.opendocument.formula-template", 120
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(formula)(\x2dtemplate)/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=database (len=8), ["Database"], swap_endian=0
-signature file-magic-auto242 {
-	file-mime "application/vnd.oasis.opendocument.database", 110
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(database)/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=image (len=5), [""], swap_endian=0
-# >>>>>78  byte&,!0x2d, ["Image"], swap_endian=0
-signature file-magic-auto243 {
-	file-mime "application/vnd.oasis.opendocument.image", 110
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(image)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
-}
-
-# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
-# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
-# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
-# >>>>73  string,=image (len=5), [""], swap_endian=0
-# >>>>>78  string,=-template (len=9), ["Template"], swap_endian=0
-signature file-magic-auto244 {
-	file-mime "application/vnd.oasis.opendocument.image-template", 120
-	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(image)(\x2dtemplate)/
-}
 
 # >0  string,=PK\003\004 (len=4), [""], swap_endian=0
 # >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
@@ -917,18 +737,6 @@ signature file-magic-auto293 {
 	file-magic /(\x0e\x03\x13\x01)/
 }
 
-# >0  belong&,=-17957139 (0xfeedfeed), ["Java KeyStore"], swap_endian=0
-signature file-magic-auto302 {
-	file-mime "application/x-java-keystore", 70
-	file-magic /(\xfe\xed\xfe\xed)/
-}
-
-# >0  belong&,=-825307442 (0xcececece), ["Java JCE KeyStore"], swap_endian=0
-signature file-magic-auto303 {
-	file-mime "application/x-java-jce-keystore", 70
-	file-magic /(\xce\xce\xce\xce)/
-}
-
 ## >1080  string,=32CN (len=4), ["32-channel Taketracker module sound data"], swap_endian=0
 #signature file-magic-auto304 {
 #	file-mime "audio/x-mod", 70
@@ -1264,21 +1072,6 @@ signature file-magic-auto385 {
 	file-magic /(OggS)/
 }
 
-
-# >0  belong&,=-889270259 (0xcafed00d), ["JAR compressed with pack200,"], swap_endian=0
-# >>4  byte&,x, ["%d"], swap_endian=0
-signature file-magic-auto387 {
-	file-mime "application/x-java-pack200", 1
-	file-magic /(\xca\xfe\xd0\x0d)(.{1})/
-}
-
-# >0  belong&,=-889270259 (0xcafed00d), ["JAR compressed with pack200,"], swap_endian=0
-# >>4  byte&,x, ["%d"], swap_endian=0
-signature file-magic-auto388 {
-	file-mime "application/x-java-pack200", 1
-	file-magic /(\xca\xfe\xd0\x0d)(.{1})/
-}
-
 ## >0  search/4096,=\documentstyle (len=14), ["LaTeX document text"], swap_endian=0
 #signature file-magic-auto390 {
 #	file-mime "text/x-tex", 62
@@ -1332,12 +1125,6 @@ signature file-magic-auto405 {
 	file-magic /(\x04\x25\x21)/
 }
 
-# >0  string,=BZh (len=3), ["bzip2 compressed data"], swap_endian=0
-signature file-magic-auto406 {
-	file-mime "application/x-bzip2", 60
-	file-magic /(BZh)/
-}
-
 ## >0  search/4096,=\documentclass (len=14), ["LaTeX 2e document text"], swap_endian=0
 #signature file-magic-auto412 {
 #	file-mime "text/x-tex", 59
@@ -1380,12 +1167,6 @@ signature file-magic-auto406 {
 #	file-magic /(.*)(\x28custom\x2dset\x2dvariables )/
 #}
 
-# >0  string/b,=MZ (len=2), [""], swap_endian=0
-signature file-magic-auto433 {
-	file-mime "application/x-dosexec", 51
-	file-magic /(MZ)/
-}
-
 # >20  string,=45 (len=2), [""], swap_endian=0
 # >>0  regex/1,=(^[0-9]{5})[acdnp][^bhlnqsu-z] (len=30), ["MARC21 Bibliographic"], swap_endian=0
 signature file-magic-auto460 {
@@ -1620,39 +1401,6 @@ signature file-magic-auto532 {
 #	file-magic /(.{4})(.*)([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f])(.*)([\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.{26})([\x00])(.*)(.{4})(.*)(.{4})(.*)(.{4})(.{12})([\x00\x01\x02\x03\x04\x05\x06\x07])(.*)(.{2})(.{22})([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
 #}
 
-# >0  string/t,=@ (len=1), [""], swap_endian=0
-# >>1  string/Wc,= echo off (len=9), ["DOS batch file text"], swap_endian=0
-signature file-magic-auto573 {
-	file-mime "text/x-msdos-batch", 120
-	file-magic /(\x40)( {1,}[eE][cC][hH][oO] {1,}[oO][fF][fF])/
-}
-
-# >0  string/t,=@ (len=1), [""], swap_endian=0
-# >>1  string/Wc,=echo off (len=8), ["DOS batch file text"], swap_endian=0
-signature file-magic-auto574 {
-	file-mime "text/x-msdos-batch", 110
-	file-magic /(\x40)([eE][cC][hH][oO] {1,}[oO][fF][fF])/
-}
-
-# >0  string/t,=@ (len=1), [""], swap_endian=0
-# >>1  string/Wc,=rem (len=3), ["DOS batch file text"], swap_endian=0
-signature file-magic-auto575 {
-	file-mime "text/x-msdos-batch", 60
-	file-magic /(\x40)([rR][eE][mM])/
-}
-
-# >0  string/t,=@ (len=1), [""], swap_endian=0
-# >>1  string/Wc,=set  (len=4), ["DOS batch file text"], swap_endian=0
-signature file-magic-auto576 {
-	file-mime "text/x-msdos-batch", 70
-	file-magic /(\x40)([sS][eE][tT] {1,})/
-}
-
-# >0  regex,=^dnl  (len=5), ["M4 macro processor script text"], swap_endian=0
-signature file-magic-auto578 {
-	file-mime "text/x-m4", 40
-	file-magic /(^dnl )/
-}
 
 ## >0  search/4096,=(defparam  (len=10), ["Lisp/Scheme program text"], swap_endian=0
 #signature file-magic-auto583 {

scripts/base/frameworks/files/magic/msoffice.sig

@@ -1,34 +0,0 @@
-
-# This signature is non-specific and terrible but after
-# searching for a long time there doesn't seem to be a 
-# better option.  
-signature file-msword {
-	file-magic /^\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1/
-	file-mime "application/msword", 50
-}
-
-signature file-ooxml {
-	file-magic /^PK\x03\x04\x14\x00\x06\x00/
-	file-mime "application/vnd.openxmlformats-officedocument", 50
-}
-
-signature file-docx {
-	file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|word\x2f).*PK\x03\x04.{26}word\x2f/
-	file-mime "application/vnd.openxmlformats-officedocument.wordprocessingml.document", 80
-}
-
-signature file-xlsx {
-	file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|xl\x2f).*PK\x03\x04.{26}xl\x2f/
-	file-mime "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", 80
-}
-
-signature file-pptx {
-	file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|ppt\x2f).*PK\x03\x04.{26}ppt\x2f/
-	file-mime "application/vnd.openxmlformats-officedocument.presentationml.presentation", 80
-}
-
-signature file-msaccess {
-	file-mime "application/x-msaccess", 180
-	file-magic /.{4}Standard (Jet|ACE) DB\x00/
-}
-

scripts/base/frameworks/files/magic/office.sig

@@ -0,0 +1,118 @@
+
+# This signature is non-specific and terrible but after
+# searching for a long time there doesn't seem to be a 
+# better option.  
+signature file-msword {
+	file-magic /^\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1/
+	file-mime "application/msword", 50
+}
+
+signature file-ooxml {
+	file-magic /^PK\x03\x04\x14\x00\x06\x00/
+	file-mime "application/vnd.openxmlformats-officedocument", 50
+}
+
+signature file-docx {
+	file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|word\x2f).*PK\x03\x04.{26}word\x2f/
+	file-mime "application/vnd.openxmlformats-officedocument.wordprocessingml.document", 80
+}
+
+signature file-xlsx {
+	file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|xl\x2f).*PK\x03\x04.{26}xl\x2f/
+	file-mime "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", 80
+}
+
+signature file-pptx {
+	file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|ppt\x2f).*PK\x03\x04.{26}ppt\x2f/
+	file-mime "application/vnd.openxmlformats-officedocument.presentationml.presentation", 80
+}
+
+signature file-msaccess {
+	file-mime "application/x-msaccess", 180
+	file-magic /.{4}Standard (Jet|ACE) DB\x00/
+}
+
+signature file-opendocument-text {
+	file-mime "application/vnd.oasis.opendocument.text", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+signature file-opendocument-text-template {
+	file-mime "application/vnd.oasis.opendocument.text-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dtemplate)/
+}
+
+signature file-opendocument-text-web {
+	file-mime "application/vnd.oasis.opendocument.text-web", 70
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dweb)/
+}
+
+signature file-opendocument-text-master {
+	file-mime "application/vnd.oasis.opendocument.text-master", 100
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dmaster)/
+}
+
+signature file-opendocument-graphics {
+	file-mime "application/vnd.oasis.opendocument.graphics", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(graphics)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+signature file-opendocument-graphics-template {
+	file-mime "application/vnd.oasis.opendocument.graphics-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(graphics)(\x2dtemplate)/
+}
+
+signature file-opendocument-presentation {
+	file-mime "application/vnd.oasis.opendocument.presentation", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(presentation)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+signature file-opendocument-presentation-template {
+	file-mime "application/vnd.oasis.opendocument.presentation-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(presentation)(\x2dtemplate)/
+}
+
+signature file-opendocument-spreadsheet {
+	file-mime "application/vnd.oasis.opendocument.spreadsheet", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(spreadsheet)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+signature file-opendocument-spreadsheet-template {
+	file-mime "application/vnd.oasis.opendocument.spreadsheet-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(spreadsheet)(\x2dtemplate)/
+}
+
+signature file-opendocument-chart {
+	file-mime "application/vnd.oasis.opendocument.chart", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(chart)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+signature file-opendocument-chart-template {
+	file-mime "application/vnd.oasis.opendocument.chart-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(chart)(\x2dtemplate)/
+}
+
+signature file-opendocument-formula {
+	file-mime "application/vnd.oasis.opendocument.formula", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(formula)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+signature file-opendocument-formula-template {
+	file-mime "application/vnd.oasis.opendocument.formula-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(formula)(\x2dtemplate)/
+}
+
+signature file-opendocument-database {
+	file-mime "application/vnd.oasis.opendocument.database", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(database)/
+}
+
+signature file-opendocument-image {
+	file-mime "application/vnd.oasis.opendocument.image", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(image)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+signature file-image-template {
+	file-mime "application/vnd.oasis.opendocument.image-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(image)(\x2dtemplate)/
+}

scripts/base/frameworks/files/magic/programming.sig

@@ -0,0 +1,96 @@
+signature file-shellscript {
+	file-mime "text/x-shellscript", 250
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(ba|tc|c|z|fa|ae|k)?sh/
+}
+
+signature file-perl {
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?perl/
+	file-mime "text/x-perl", 60
+}
+
+signature file-ruby {
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?ruby/
+	file-mime "text/x-ruby", 60
+}
+
+signature file-python {
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?python/
+	file-mime "text/x-python", 60
+}
+
+signature file-awk {
+	file-mime "text/x-awk", 60
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(g|n)?awk/
+}
+
+signature file-tcl {
+	file-mime "text/x-tcl", 60
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(wish|tcl)/
+}
+
+signature file-lua {
+	file-mime "text/x-lua", 49
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?lua/
+}
+
+signature file-javascript {
+	file-mime "application/javascript", 60
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?node(js)?/
+}
+
+signature file-javascript2 {
+	file-mime "application/javascript", 60
+	file-magic /^[\x0d\x0a[:blank:]]*<[sS][cC][rR][iI][pP][tT][[:blank:]]+([tT][yY][pP][eE]|[lL][aA][nN][gG][uU][aA][gG][eE])=['"]?([tT][eE][xX][tT]\/)?[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
+}
+
+signature file-javascript3 {
+	file-mime "application/javascript", 60
+	# This seems to be a somewhat common idiom in javascript.
+	file-magic /^[\x0d\x0a[:blank:]]*for \(;;\);/
+}
+
+signature file-javascript4 {
+	file-mime "application/javascript", 60
+	file-magic /^[\x0d\x0a[:blank:]]*document\.write(ln)?[:blank:]?\(/
+}
+
+signature file-javascript5 {
+	file-mime "application/javascript", 60
+	file-magic /^\(function\(\)[[:blank:]\n]*\{/
+}
+
+signature file-javascript6 {
+	file-mime "application/javascript", 60
+	file-magic /^[\x0d\x0a[:blank:]]*<script>[\x0d\x0a[:blank:]]*(var|function) /
+}
+
+signature file-php {
+	file-mime "text/x-php", 60
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?php/
+}
+
+signature file-php2 {
+	file-magic /^.*<\?php/
+	file-mime "text/x-php", 40
+}
+
+signature file-batch1 {
+	file-mime "text/x-msdos-batch", 110
+	file-magic /\x40 *[eE][cC][hH][oO] {1,}[oO][fF][fF]/
+}
+
+signature file-batch2 {
+	file-mime "text/x-msdos-batch", 60
+	file-magic /\x40[rR][eE][mM]/
+}
+
+signature file-batch3 {
+	file-mime "text/x-msdos-batch", 70
+	file-magic /\x40[sS][eE][tT] {1,}/
+}
+
+# M4 macro processor script text
+signature file-m4 {
+	file-mime "text/x-m4", 40
+	file-magic /^dnl /
+}

scripts/base/frameworks/netcontrol/main.zeek

@@ -731,7 +731,7 @@ function find_rules_subnet(sn: subnet) : vector of Rule
 		{
 		local sn_entry = matches[m];
 		local rule_ids = rules_by_subnets[sn_entry];
-		for ( rule_id in rules_by_subnets[sn_entry] )
+		for ( rule_id in rule_ids )
 			{
 			if ( rule_id in rules )
 				ret += rules[rule_id];

scripts/base/frameworks/netcontrol/plugins/openflow.zeek

@@ -195,7 +195,7 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat
 		return openflow_match_pred(p, e, v);
 		}
 
-	local proto = OpenFlow::IP_TCP;
+	# local proto = OpenFlow::IP_TCP;
 
 	if ( e$ty == FLOW )
 		{

scripts/base/init-bare.zeek

@@ -2076,7 +2076,8 @@ global login_timeouts: set[string] &redef;
 ##
 ## .. zeek:see:: mime_header_list http_all_headers mime_all_headers mime_one_header
 type mime_header_rec: record {
-	name: string;	##< The header name.
+	original_name: string; ##< The header name (unaltered).
+	name: string;	##< The header name (converted to all upper-case).
 	value: string;	##< The header value.
 };
 

scripts/base/protocols/dce-rpc/consts.zeek

@@ -267,7 +267,7 @@ export {
 		["12345678-1234-abcd-ef00-01234567cffb",0x2a] = "NetrServerTrustPasswordsGet",
 		["12345678-1234-abcd-ef00-01234567cffb",0x2b] = "DsrGetForestTrustInformation",
 		["12345678-1234-abcd-ef00-01234567cffb",0x2c] = "NetrGetForestTrustInformation",
-		["12345678-1234-abcd-ef00-01234567cffb",0x2d] = "NetrLogonSameLogonWithFlags",
+		["12345678-1234-abcd-ef00-01234567cffb",0x2d] = "NetrLogonSamLogonWithFlags",
 		["12345678-1234-abcd-ef00-01234567cffb",0x2e] = "NetrServerGetTrustInfo",
 		["12345678-1234-abcd-ef00-01234567cffb",0x2f] = "unused",
 		["12345678-1234-abcd-ef00-01234567cffb",0x30] = "DsrUpdateReadOnlyServerDnsRecords",

scripts/base/protocols/smtp/main.zeek

@@ -336,5 +336,6 @@ function describe(rec: Info): string
 			(|rec$rcptto|>1 ? fmt(" (plus %d others)", |rec$rcptto|-1) : ""),
 			(abbrev_subject != "" ? fmt(": %s", abbrev_subject) : ""));
 		}
+
 	return "";
 	}

scripts/base/protocols/ssl/main.zeek

@@ -315,12 +315,12 @@ event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priori
 
 event ssl_established(c: connection) &priority=7
 	{
-	set_session(c);
 	c$ssl$established = T;
 	}
 
 event ssl_established(c: connection) &priority=20
 	{
+	set_session(c);
 	hook ssl_finishing(c);
 	}
 

scripts/base/utils/addrs.zeek

@@ -70,11 +70,10 @@ const ip_addr_regex = ipv4_addr_regex | ipv6_addr_regex;
 ## Returns: T if every element is between 0 and 255, inclusive, else F.
 function has_valid_octets(octets: string_vec): bool
 	{
-	local num = 0;
 	for ( i in octets )
 		{
-		num = to_count(octets[i]);
+		local num = to_count(octets[i]);
-		if ( num < 0 || 255 < num )
+		if ( 255 < num )
 			return F;
 		}
 	return T;

scripts/base/utils/patterns.zeek

@@ -4,7 +4,7 @@ module GLOBAL;
 
 ## Given a pattern as a string with two tildes (~~) contained in it, it will
 ## return a pattern with string set's elements OR'd together where the
-## double-tilde was given (this function only works at or before init time).
+## double-tilde was given.
 ##
 ## ss: a set of strings to OR together.
 ##

scripts/policy/misc/stats.zeek

@@ -99,11 +99,6 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
 	local fs = get_file_analysis_stats();
 	local ds = get_dns_stats();
 
-	if ( zeek_is_terminating() )
-		# No more stats will be written or scheduled when Zeek is
-		# shutting down.
-		return;
-
 	local info: Info = [$ts=nettime,
 			    $peer=peer_description,
 			    $mem=ps$mem/1048576,
@@ -146,6 +141,12 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
 		}
 
 	Log::write(Stats::LOG, info);
+
+	if ( zeek_is_terminating() )
+		# No more stats will be written or scheduled when Zeek is
+		# shutting down.
+		return;
+
 	schedule report_interval { check_stats(nettime, ns, cs, ps, es, rs, ts, fs, ds) };
 	}
 

src/CompHash.cc

@@ -768,9 +768,9 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 		if ( tag == TYPE_ENUM )
 			*pval = t->AsEnumType()->GetVal(*kp);
 		else if ( tag == TYPE_BOOL )
-			*pval = {AdoptRef{}, val_mgr->GetBool(*kp)};
+			*pval = val_mgr->Bool(*kp);
 		else if ( tag == TYPE_INT )
-			*pval = {AdoptRef{}, val_mgr->GetInt(*kp)};
+			*pval = val_mgr->Int(*kp);
 		else
 			{
 			reporter->InternalError("bad internal unsigned int in CompositeHash::RecoverOneVal()");
@@ -787,11 +787,11 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 		switch ( tag ) {
 		case TYPE_COUNT:
 		case TYPE_COUNTER:
-			*pval = {AdoptRef{}, val_mgr->GetCount(*kp)};
+			*pval = val_mgr->Count(*kp);
 			break;
 
 		case TYPE_PORT:
-			*pval = {AdoptRef{}, val_mgr->GetPort(*kp)};
+			*pval = val_mgr->Port(*kp);
 			break;
 
 		default:

src/Conn.cc

@@ -90,7 +90,6 @@ Connection::Connection(NetSessions* s, const ConnIDKey& k, double t, const ConnI
 	vlan = pkt->vlan;
 	inner_vlan = pkt->inner_vlan;
 
-	conn_val = nullptr;
 	login_conn = nullptr;
 
 	is_active = 1;
@@ -131,10 +130,7 @@ Connection::~Connection()
 	CancelTimers();
 
 	if ( conn_val )
-		{
 		conn_val->SetOrigin(nullptr);
-		Unref(conn_val);
-		}
 
 	delete root_analyzer;
 	delete encapsulation;
@@ -148,23 +144,34 @@ void Connection::CheckEncapsulation(const EncapsulationStack* arg_encap)
 		{
 		if ( *encapsulation != *arg_encap )
 			{
-			Event(tunnel_changed, nullptr, arg_encap->GetVectorVal());
+			if ( tunnel_changed )
+				EnqueueEvent(tunnel_changed, nullptr, ConnVal(),
+				             IntrusivePtr{AdoptRef{}, arg_encap->GetVectorVal()});
+
 			delete encapsulation;
 			encapsulation = new EncapsulationStack(*arg_encap);
 			}
 		}
 
 	else if ( encapsulation )
+		{
+		if ( tunnel_changed )
 			{
 			EncapsulationStack empty;
-		Event(tunnel_changed, nullptr, empty.GetVectorVal());
+			EnqueueEvent(tunnel_changed, nullptr, ConnVal(),
+			             IntrusivePtr{AdoptRef{}, empty.GetVectorVal()});
+			}
+
 		delete encapsulation;
 		encapsulation = nullptr;
 		}
 
 	else if ( arg_encap )
 		{
-		Event(tunnel_changed, nullptr, arg_encap->GetVectorVal());
+		if ( tunnel_changed )
+			EnqueueEvent(tunnel_changed, nullptr, ConnVal(),
+			             IntrusivePtr{AdoptRef{}, arg_encap->GetVectorVal()});
+
 		encapsulation = new EncapsulationStack(*arg_encap);
 		}
 	}
@@ -203,7 +210,7 @@ void Connection::NextPacket(double t, bool is_orig,
 			is_successful = true;
 
 		if ( ! was_successful && is_successful && connection_successful )
-			EnqueueEvent(connection_successful, nullptr, IntrusivePtr{AdoptRef{}, BuildConnVal()});
+			EnqueueEvent(connection_successful, nullptr, ConnVal());
 		}
 	else
 		last_time = t;
@@ -260,9 +267,9 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
 		return;
 
 	EnqueueEvent(e, nullptr,
-		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		ConnVal(),
-		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+		val_mgr->Bool(is_orig),
-		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)}
+		val_mgr->Count(threshold)
 	);
 	}
 
@@ -275,10 +282,6 @@ void Connection::DeleteTimer(double /* t */)
 	}
 
 void Connection::InactivityTimer(double t)
-	{
-	// If the inactivity_timeout is zero, there has been an active
-	// timeout once, but it's disabled now. We do nothing then.
-	if ( inactivity_timeout )
 	{
 	if ( last_time + inactivity_timeout <= t )
 		{
@@ -288,9 +291,7 @@ void Connection::InactivityTimer(double t)
 		}
 	else
 		ADD_TIMER(&Connection::InactivityTimer,
-					last_time + inactivity_timeout, 0,
+		          last_time + inactivity_timeout, 0, TIMER_CONN_INACTIVITY);
-					TIMER_CONN_INACTIVITY);
-		}
 	}
 
 void Connection::RemoveConnectionTimer(double t)
@@ -301,8 +302,17 @@ void Connection::RemoveConnectionTimer(double t)
 
 void Connection::SetInactivityTimeout(double timeout)
 	{
-	// We add a new inactivity timer even if there already is one.  When
+	if ( timeout == inactivity_timeout )
-	// it fires, we always use the current value to check for inactivity.
+		return;
+
+	// First cancel and remove any existing inactivity timer.
+	for ( const auto& timer : timers )
+		if ( timer->Type() == TIMER_CONN_INACTIVITY )
+			{
+			timer_mgr->Cancel(timer);
+			break;
+			}
+
 	if ( timeout )
 		ADD_TIMER(&Connection::InactivityTimer,
 				last_time + timeout, 0, TIMER_CONN_INACTIVITY);
@@ -323,30 +333,35 @@ void Connection::EnableStatusUpdateTimer()
 
 void Connection::StatusUpdateTimer(double t)
 	{
-	EnqueueEvent(connection_status_update, nullptr, IntrusivePtr{AdoptRef{}, BuildConnVal()});
+	EnqueueEvent(connection_status_update, nullptr, ConnVal());
 	ADD_TIMER(&Connection::StatusUpdateTimer,
 			network_time + connection_status_update_interval, 0,
 			TIMER_CONN_STATUS_UPDATE);
 	}
 
 RecordVal* Connection::BuildConnVal()
+	{
+	return ConnVal()->Ref()->AsRecordVal();
+	}
+
+const IntrusivePtr<RecordVal>& Connection::ConnVal()
 	{
 	if ( ! conn_val )
 		{
-		conn_val = new RecordVal(connection_type);
+		conn_val = make_intrusive<RecordVal>(connection_type);
 
 		TransportProto prot_type = ConnTransport();
 
 		auto id_val = make_intrusive<RecordVal>(conn_id);
 		id_val->Assign(0, make_intrusive<AddrVal>(orig_addr));
-		id_val->Assign(1, val_mgr->GetPort(ntohs(orig_port), prot_type));
+		id_val->Assign(1, val_mgr->Port(ntohs(orig_port), prot_type));
 		id_val->Assign(2, make_intrusive<AddrVal>(resp_addr));
-		id_val->Assign(3, val_mgr->GetPort(ntohs(resp_port), prot_type));
+		id_val->Assign(3, val_mgr->Port(ntohs(resp_port), prot_type));
 
 		auto orig_endp = make_intrusive<RecordVal>(endpoint);
-		orig_endp->Assign(0, val_mgr->GetCount(0));
+		orig_endp->Assign(0, val_mgr->Count(0));
-		orig_endp->Assign(1, val_mgr->GetCount(0));
+		orig_endp->Assign(1, val_mgr->Count(0));
-		orig_endp->Assign(4, val_mgr->GetCount(orig_flow_label));
+		orig_endp->Assign(4, val_mgr->Count(orig_flow_label));
 
 		const int l2_len = sizeof(orig_l2_addr);
 		char null[l2_len]{};
@@ -355,9 +370,9 @@ RecordVal* Connection::BuildConnVal()
 			orig_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(orig_l2_addr, l2_len)));
 
 		auto resp_endp = make_intrusive<RecordVal>(endpoint);
-		resp_endp->Assign(0, val_mgr->GetCount(0));
+		resp_endp->Assign(0, val_mgr->Count(0));
-		resp_endp->Assign(1, val_mgr->GetCount(0));
+		resp_endp->Assign(1, val_mgr->Count(0));
-		resp_endp->Assign(4, val_mgr->GetCount(resp_flow_label));
+		resp_endp->Assign(4, val_mgr->Count(resp_flow_label));
 
 		if ( memcmp(&resp_l2_addr, &null, l2_len) != 0 )
 			resp_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(resp_l2_addr, l2_len)));
@@ -367,7 +382,7 @@ RecordVal* Connection::BuildConnVal()
 		conn_val->Assign(2, std::move(resp_endp));
 		// 3 and 4 are set below.
 		conn_val->Assign(5, make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set}));	// service
-		conn_val->Assign(6, val_mgr->GetEmptyString());	// history
+		conn_val->Assign(6, val_mgr->EmptyString());	// history
 
 		if ( ! uid )
 			uid.Set(bits_per_uid);
@@ -378,25 +393,23 @@ RecordVal* Connection::BuildConnVal()
 			conn_val->Assign(8, encapsulation->GetVectorVal());
 
 		if ( vlan != 0 )
-			conn_val->Assign(9, val_mgr->GetInt(vlan));
+			conn_val->Assign(9, val_mgr->Int(vlan));
 
 		if ( inner_vlan != 0 )
-			conn_val->Assign(10, val_mgr->GetInt(inner_vlan));
+			conn_val->Assign(10, val_mgr->Int(inner_vlan));
 
 		}
 
 	if ( root_analyzer )
-		root_analyzer->UpdateConnVal(conn_val);
+		root_analyzer->UpdateConnVal(conn_val.get());
 
 	conn_val->Assign(3, make_intrusive<Val>(start_time, TYPE_TIME));	// ###
 	conn_val->Assign(4, make_intrusive<Val>(last_time - start_time, TYPE_INTERVAL));
 	conn_val->Assign(6, make_intrusive<StringVal>(history.c_str()));
-	conn_val->Assign(11, val_mgr->GetBool(is_successful));
+	conn_val->Assign(11, val_mgr->Bool(is_successful));
 
 	conn_val->SetOrigin(this);
 
-	Ref(conn_val);
-
 	return conn_val;
 	}
 
@@ -417,12 +430,12 @@ analyzer::Analyzer* Connection::FindAnalyzer(const char* name)
 
 void Connection::AppendAddl(const char* str)
 	{
-	Unref(BuildConnVal());
+	const auto& cv = ConnVal();
 
-	const char* old = conn_val->Lookup(6)->AsString()->CheckString();
+	const char* old = cv->Lookup(6)->AsString()->CheckString();
 	const char* format = *old ? "%s %s" : "%s%s";
 
-	conn_val->Assign(6, make_intrusive<StringVal>(fmt(format, old, str)));
+	cv->Assign(6, make_intrusive<StringVal>(fmt(format, old, str)));
 	}
 
 // Returns true if the character at s separates a version number.
@@ -446,7 +459,7 @@ void Connection::Match(Rule::PatternType type, const u_char* data, int len, bool
 
 void Connection::RemovalEvent()
 	{
-	auto cv = IntrusivePtr{AdoptRef{}, BuildConnVal()};
+	auto cv = ConnVal();
 
 	if ( connection_state_remove )
 		EnqueueEvent(connection_state_remove, nullptr, cv);
@@ -461,9 +474,9 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const ch
 		return;
 
 	if ( name )
-		EnqueueEvent(f, analyzer, make_intrusive<StringVal>(name), IntrusivePtr{AdoptRef{}, BuildConnVal()});
+		EnqueueEvent(f, analyzer, make_intrusive<StringVal>(name), ConnVal());
 	else
-		EnqueueEvent(f, analyzer, IntrusivePtr{AdoptRef{}, BuildConnVal()});
+		EnqueueEvent(f, analyzer, ConnVal());
 	}
 
 void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2)
@@ -477,12 +490,12 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1,
 
 	if ( v2 )
 		EnqueueEvent(f, analyzer,
-		             IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		             ConnVal(),
 		             IntrusivePtr{AdoptRef{}, v1},
 		             IntrusivePtr{AdoptRef{}, v2});
 	else
 		EnqueueEvent(f, analyzer,
-		             IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		             ConnVal(),
 		             IntrusivePtr{AdoptRef{}, v1});
 	}
 
@@ -590,7 +603,6 @@ void Connection::FlipRoles()
 	resp_flow_label = orig_flow_label;
 	orig_flow_label = tmp_flow;
 
-	Unref(conn_val);
 	conn_val = nullptr;
 
 	if ( root_analyzer )
@@ -690,17 +702,17 @@ void Connection::CheckFlowLabel(bool is_orig, uint32_t flow_label)
 		if ( conn_val )
 			{
 			RecordVal *endp = conn_val->Lookup(is_orig ? 1 : 2)->AsRecordVal();
-			endp->Assign(4, val_mgr->GetCount(flow_label));
+			endp->Assign(4, val_mgr->Count(flow_label));
 			}
 
 		if ( connection_flow_label_changed &&
 		     (is_orig ? saw_first_orig_packet : saw_first_resp_packet) )
 			{
 			EnqueueEvent(connection_flow_label_changed, nullptr,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+				val_mgr->Bool(is_orig),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(my_flow_label)},
+				val_mgr->Count(my_flow_label),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flow_label)}
+				val_mgr->Count(flow_label)
 			);
 			}
 

src/Conn.h

@@ -163,7 +163,14 @@ public:
 	// Activate connection_status_update timer.
 	void EnableStatusUpdateTimer();
 
+	[[deprecated("Remove in v4.1.  Use ConnVal() instead.")]]
 	RecordVal* BuildConnVal();
+
+	/**
+	 * Returns the associated "connection" record.
+	 */
+	const IntrusivePtr<RecordVal>& ConnVal();
+
 	void AppendAddl(const char* str);
 
 	LoginConn* AsLoginConn()		{ return login_conn; }
@@ -186,6 +193,7 @@ public:
 	// 'v1' and 'v2' reference counts get decremented.  The event's first
 	// argument is the connection value, second argument is 'v1', and if 'v2'
 	// is given that will be it's third argument.
+	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead (note it doesn't automatically add the connection argument).")]]
 	void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = nullptr);
 
 	// If a handler exists for 'f', an event will be generated.  In any case,
@@ -316,8 +324,6 @@ public:
 
 protected:
 
-	Connection()	{ }
-
 	// Add the given timer to expire at time t.  If do_expire
 	// is true, then the timer is also evaluated when Bro terminates,
 	// otherwise not.
@@ -349,7 +355,7 @@ protected:
 	u_char resp_l2_addr[Packet::l2_addr_len];	// Link-layer responder address, if available
 	double start_time, last_time;
 	double inactivity_timeout;
-	RecordVal* conn_val;
+	IntrusivePtr<RecordVal> conn_val;
 	LoginConn* login_conn;	// either nil, or this
 	const EncapsulationStack* encapsulation; // tunnels
 	int suppress_event;	// suppress certain events to once per conn.

src/DNS_Mgr.cc

@@ -737,7 +737,7 @@ IntrusivePtr<Val> DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)
 	r->Assign(0, make_intrusive<Val>(dm->CreationTime(), TYPE_TIME));
 	r->Assign(1, make_intrusive<StringVal>(dm->ReqHost() ? dm->ReqHost() : ""));
 	r->Assign(2, make_intrusive<AddrVal>(dm->ReqAddr()));
-	r->Assign(3, val_mgr->GetBool(dm->Valid()));
+	r->Assign(3, val_mgr->Bool(dm->Valid()));
 
 	auto h = dm->Host();
 	r->Assign(4, h ? h.release() : new StringVal("<none>"));

src/Expr.cc

@@ -683,11 +683,11 @@ IntrusivePtr<Val> BinaryExpr::Fold(Val* v1, Val* v2) const
 	else if ( ret_type->InternalType() == TYPE_INTERNAL_DOUBLE )
 		return make_intrusive<Val>(d3, ret_type->Tag());
 	else if ( ret_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
-		return {AdoptRef{}, val_mgr->GetCount(u3)};
+		return val_mgr->Count(u3);
 	else if ( ret_type->Tag() == TYPE_BOOL )
-		return {AdoptRef{}, val_mgr->GetBool(i3)};
+		return val_mgr->Bool(i3);
 	else
-		return {AdoptRef{}, val_mgr->GetInt(i3)};
+		return val_mgr->Int(i3);
 	}
 
 IntrusivePtr<Val> BinaryExpr::StringFold(Val* v1, Val* v2) const
@@ -721,7 +721,7 @@ IntrusivePtr<Val> BinaryExpr::StringFold(Val* v1, Val* v2) const
 		BadTag("BinaryExpr::StringFold", expr_name(tag));
 	}
 
-	return {AdoptRef{}, val_mgr->GetBool(result)};
+	return val_mgr->Bool(result);
 	}
 
 
@@ -797,7 +797,7 @@ IntrusivePtr<Val> BinaryExpr::SetFold(Val* v1, Val* v2) const
 		return nullptr;
 	}
 
-	return {AdoptRef{}, val_mgr->GetBool(res)};
+	return val_mgr->Bool(res);
 	}
 
 IntrusivePtr<Val> BinaryExpr::AddrFold(Val* v1, Val* v2) const
@@ -831,7 +831,7 @@ IntrusivePtr<Val> BinaryExpr::AddrFold(Val* v1, Val* v2) const
 		BadTag("BinaryExpr::AddrFold", expr_name(tag));
 	}
 
-	return {AdoptRef{}, val_mgr->GetBool(result)};
+	return val_mgr->Bool(result);
 	}
 
 IntrusivePtr<Val> BinaryExpr::SubNetFold(Val* v1, Val* v2) const
@@ -844,7 +844,7 @@ IntrusivePtr<Val> BinaryExpr::SubNetFold(Val* v1, Val* v2) const
 	if ( tag == EXPR_NE )
 		result = ! result;
 
-	return {AdoptRef{}, val_mgr->GetBool(result)};
+	return val_mgr->Bool(result);
 	}
 
 void BinaryExpr::SwapOps()
@@ -959,9 +959,9 @@ IntrusivePtr<Val> IncrExpr::DoSingleEval(Frame* f, Val* v) const
 		ret_type = Type()->YieldType();
 
 	if ( ret_type->Tag() == TYPE_INT )
-		return {AdoptRef{}, val_mgr->GetInt(k)};
+		return val_mgr->Int(k);
 	else
-		return {AdoptRef{}, val_mgr->GetCount(k)};
+		return val_mgr->Count(k);
 	}
 
 
@@ -1019,7 +1019,7 @@ ComplementExpr::ComplementExpr(IntrusivePtr<Expr> arg_op)
 
 IntrusivePtr<Val> ComplementExpr::Fold(Val* v) const
 	{
-	return {AdoptRef{}, val_mgr->GetCount(~ v->InternalUnsigned())};
+	return val_mgr->Count(~ v->InternalUnsigned());
 	}
 
 NotExpr::NotExpr(IntrusivePtr<Expr> arg_op)
@@ -1038,7 +1038,7 @@ NotExpr::NotExpr(IntrusivePtr<Expr> arg_op)
 
 IntrusivePtr<Val> NotExpr::Fold(Val* v) const
 	{
-	return {AdoptRef{}, val_mgr->GetBool(! v->InternalInt())};
+	return val_mgr->Bool(! v->InternalInt());
 	}
 
 PosExpr::PosExpr(IntrusivePtr<Expr> arg_op)
@@ -1076,7 +1076,7 @@ IntrusivePtr<Val> PosExpr::Fold(Val* v) const
 	if ( t == TYPE_DOUBLE || t == TYPE_INTERVAL || t == TYPE_INT )
 		return {NewRef{}, v};
 	else
-		return {AdoptRef{}, val_mgr->GetInt(v->CoerceToInt())};
+		return val_mgr->Int(v->CoerceToInt());
 	}
 
 NegExpr::NegExpr(IntrusivePtr<Expr> arg_op)
@@ -1114,7 +1114,7 @@ IntrusivePtr<Val> NegExpr::Fold(Val* v) const
 	else if ( v->Type()->Tag() == TYPE_INTERVAL )
 		return make_intrusive<IntervalVal>(- v->InternalDouble(), 1.0);
 	else
-		return {AdoptRef{}, val_mgr->GetInt(- v->CoerceToInt())};
+		return val_mgr->Int(- v->CoerceToInt());
 	}
 
 SizeExpr::SizeExpr(IntrusivePtr<Expr> arg_op)
@@ -1621,7 +1621,7 @@ IntrusivePtr<Val> BoolExpr::Eval(Frame* f) const
 				(! op1->IsZero() && ! op2->IsZero()) :
 				(! op1->IsZero() || ! op2->IsZero());
 
-			result->Assign(i, val_mgr->GetBool(local_result));
+			result->Assign(i, val_mgr->Bool(local_result));
 			}
 		else
 			result->Assign(i, nullptr);
@@ -1776,9 +1776,9 @@ IntrusivePtr<Val> EqExpr::Fold(Val* v1, Val* v2) const
 		RE_Matcher* re = v1->AsPattern();
 		const BroString* s = v2->AsString();
 		if ( tag == EXPR_EQ )
-			return {AdoptRef{}, val_mgr->GetBool(re->MatchExactly(s))};
+			return val_mgr->Bool(re->MatchExactly(s));
 		else
-			return {AdoptRef{}, val_mgr->GetBool(! re->MatchExactly(s))};
+			return val_mgr->Bool(! re->MatchExactly(s));
 		}
 
 	else
@@ -2973,7 +2973,7 @@ HasFieldExpr::~HasFieldExpr()
 IntrusivePtr<Val> HasFieldExpr::Fold(Val* v) const
 	{
 	auto rv = v->AsRecordVal();
-	return {AdoptRef{}, val_mgr->GetBool(rv->Lookup(field))};
+	return val_mgr->Bool(rv->Lookup(field));
 	}
 
 void HasFieldExpr::ExprDescribe(ODesc* d) const
@@ -3486,10 +3486,10 @@ IntrusivePtr<Val> ArithCoerceExpr::FoldSingleVal(Val* v, InternalTypeTag t) cons
 		return make_intrusive<Val>(v->CoerceToDouble(), TYPE_DOUBLE);
 
 	case TYPE_INTERNAL_INT:
-		return {AdoptRef{}, val_mgr->GetInt(v->CoerceToInt())};
+		return val_mgr->Int(v->CoerceToInt());
 
 	case TYPE_INTERNAL_UNSIGNED:
-		return {AdoptRef{}, val_mgr->GetCount(v->CoerceToUnsigned())};
+		return val_mgr->Count(v->CoerceToUnsigned());
 
 	default:
 		RuntimeErrorWithCallStack("bad type in CoerceExpr::Fold");
@@ -4025,7 +4025,7 @@ IntrusivePtr<Val> InExpr::Fold(Val* v1, Val* v2) const
 		{
 		RE_Matcher* re = v1->AsPattern();
 		const BroString* s = v2->AsString();
-		return {AdoptRef{}, val_mgr->GetBool(re->MatchAnywhere(s) != 0)};
+		return val_mgr->Bool(re->MatchAnywhere(s) != 0);
 		}
 
 	if ( v2->Type()->Tag() == TYPE_STRING )
@@ -4036,12 +4036,12 @@ IntrusivePtr<Val> InExpr::Fold(Val* v1, Val* v2) const
 		// Could do better here e.g. Boyer-Moore if done repeatedly.
 		auto s = reinterpret_cast<const unsigned char*>(s1->CheckString());
 		auto res = strstr_n(s2->Len(), s2->Bytes(), s1->Len(), s) != -1;
-		return {AdoptRef{}, val_mgr->GetBool(res)};
+		return val_mgr->Bool(res);
 		}
 
 	if ( v1->Type()->Tag() == TYPE_ADDR &&
 	     v2->Type()->Tag() == TYPE_SUBNET )
-		return {AdoptRef{}, val_mgr->GetBool(v2->AsSubNetVal()->Contains(v1->AsAddr()))};
+		return val_mgr->Bool(v2->AsSubNetVal()->Contains(v1->AsAddr()));
 
 	bool res;
 
@@ -4050,7 +4050,7 @@ IntrusivePtr<Val> InExpr::Fold(Val* v1, Val* v2) const
 	else
 		res = (bool)v2->AsTableVal()->Lookup(v1, false);
 
-	return {AdoptRef{}, val_mgr->GetBool(res)};
+	return val_mgr->Bool(res);
 	}
 
 CallExpr::CallExpr(IntrusivePtr<Expr> arg_func,
@@ -4907,7 +4907,7 @@ IntrusivePtr<Val> IsExpr::Fold(Val* v) const
 	if ( IsError() )
 		return nullptr;
 
-	return {AdoptRef{}, val_mgr->GetBool(can_cast_value_to_type(v, t.get()))};
+	return val_mgr->Bool(can_cast_value_to_type(v, t.get()));
 	}
 
 void IsExpr::ExprDescribe(ODesc* d) const

src/Func.cc

@@ -321,7 +321,7 @@ IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
 		{
 		// Can only happen for events and hooks.
 		assert(Flavor() == FUNC_FLAVOR_EVENT || Flavor() == FUNC_FLAVOR_HOOK);
-		return Flavor() == FUNC_FLAVOR_HOOK ? IntrusivePtr{AdoptRef{}, val_mgr->GetTrue()} : nullptr;
+		return Flavor() == FUNC_FLAVOR_HOOK ? val_mgr->True() : nullptr;
 		}
 
 	auto f = make_intrusive<Frame>(frame_size, this, &args);
@@ -407,7 +407,7 @@ IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
 			if ( flow == FLOW_BREAK )
 				{
 				// Short-circuit execution of remaining hook handler bodies.
-				result = {AdoptRef{}, val_mgr->GetFalse()};
+				result = val_mgr->False();
 				break;
 				}
 			}
@@ -418,7 +418,7 @@ IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
 	if ( Flavor() == FUNC_FLAVOR_HOOK )
 		{
 		if ( ! result )
-			result = {AdoptRef{}, val_mgr->GetTrue()};
+			result = val_mgr->True();
 		}
 
 	// Warn if the function returns something, but we returned from
@@ -633,7 +633,7 @@ IntrusivePtr<Val> BuiltinFunc::Call(const zeek::Args& args, Frame* parent) const
 
 	const CallExpr* call_expr = parent ? parent->GetCall() : nullptr;
 	call_stack.emplace_back(CallInfo{call_expr, this, args});
-	IntrusivePtr<Val> result{AdoptRef{}, func(parent, &args)};
+	auto result = std::move(func(parent, &args).rval);
 	call_stack.pop_back();
 
 	if ( result && g_trace_state.DoTrace() )
@@ -890,3 +890,10 @@ function_ingredients::~function_ingredients()
 
 	delete inits;
 	}
+
+BifReturnVal::BifReturnVal(std::nullptr_t) noexcept
+	{ }
+
+BifReturnVal::BifReturnVal(Val* v) noexcept
+	: rval(AdoptRef{}, v)
+	{ }

src/Func.h

@@ -188,7 +188,32 @@ private:
 	bool weak_closure_ref = false;
 };
 
-using built_in_func = Val* (*)(Frame* frame, const zeek::Args* args);
+/**
+ * A simple wrapper class to use for the return value of BIFs so that
+ * they may return either a Val* or IntrusivePtr<Val> (the former could
+ * potentially be deprecated).
+ */
+class BifReturnVal {
+public:
+
+	template <typename T>
+	BifReturnVal(IntrusivePtr<T> v) noexcept
+		: rval(AdoptRef{}, v.release())
+		{ }
+
+	BifReturnVal(std::nullptr_t) noexcept;
+
+	[[deprecated("Remove in v4.1.  Return an IntrusivePtr instead.")]]
+	BifReturnVal(Val* v) noexcept;
+
+private:
+
+	friend class BuiltinFunc;
+
+	IntrusivePtr<Val> rval;
+};
+
+using built_in_func = BifReturnVal (*)(Frame* frame, const zeek::Args* args);
 
 class BuiltinFunc final : public Func {
 public:

src/Hash.h

@@ -29,8 +29,9 @@ class BroString;
 #include "ZeekArgs.h"
 class Val;
 class Frame;
+class BifReturnVal;
 namespace BifFunc {
-	extern Val* bro_md5_hmac(Frame* frame, const zeek::Args*);
+	extern BifReturnVal bro_md5_hmac(Frame* frame, const zeek::Args*);
 }
 
 typedef uint64_t hash_t;
@@ -195,7 +196,7 @@ private:
 	inline static bool seeds_initialized = false;
 
 	friend void hmac_md5(size_t size, const unsigned char* bytes, unsigned char digest[16]);
-	friend Val* BifFunc::bro_md5_hmac(Frame* frame, const zeek::Args*);
+	friend BifReturnVal BifFunc::bro_md5_hmac(Frame* frame, const zeek::Args*);
 };
 
 typedef enum {

src/IP.cc

@@ -50,13 +50,13 @@ static VectorVal* BuildOptionsVal(const u_char* data, int len)
 		{
 		const struct ip6_opt* opt = (const struct ip6_opt*) data;
 		RecordVal* rv = new RecordVal(hdrType(ip6_option_type, "ip6_option"));
-		rv->Assign(0, val_mgr->GetCount(opt->ip6o_type));
+		rv->Assign(0, val_mgr->Count(opt->ip6o_type));
 
 		if ( opt->ip6o_type == 0 )
 			{
 			// Pad1 option
-			rv->Assign(1, val_mgr->GetCount(0));
+			rv->Assign(1, val_mgr->Count(0));
-			rv->Assign(2, val_mgr->GetEmptyString());
+			rv->Assign(2, val_mgr->EmptyString());
 			data += sizeof(uint8_t);
 			len -= sizeof(uint8_t);
 			}
@@ -64,7 +64,7 @@ static VectorVal* BuildOptionsVal(const u_char* data, int len)
 			{
 			// PadN or other option
 			uint16_t off = 2 * sizeof(uint8_t);
-			rv->Assign(1, val_mgr->GetCount(opt->ip6o_len));
+			rv->Assign(1, val_mgr->Count(opt->ip6o_len));
 			rv->Assign(2, make_intrusive<StringVal>(
 			        new BroString(data + off, opt->ip6o_len, true)));
 			data += opt->ip6o_len + off;
@@ -86,11 +86,11 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		{
 		rv = new RecordVal(hdrType(ip6_hdr_type, "ip6_hdr"));
 		const struct ip6_hdr* ip6 = (const struct ip6_hdr*)data;
-		rv->Assign(0, val_mgr->GetCount((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20));
+		rv->Assign(0, val_mgr->Count((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20));
-		rv->Assign(1, val_mgr->GetCount(ntohl(ip6->ip6_flow) & 0x000fffff));
+		rv->Assign(1, val_mgr->Count(ntohl(ip6->ip6_flow) & 0x000fffff));
-		rv->Assign(2, val_mgr->GetCount(ntohs(ip6->ip6_plen)));
+		rv->Assign(2, val_mgr->Count(ntohs(ip6->ip6_plen)));
-		rv->Assign(3, val_mgr->GetCount(ip6->ip6_nxt));
+		rv->Assign(3, val_mgr->Count(ip6->ip6_nxt));
-		rv->Assign(4, val_mgr->GetCount(ip6->ip6_hlim));
+		rv->Assign(4, val_mgr->Count(ip6->ip6_hlim));
 		rv->Assign(5, make_intrusive<AddrVal>(IPAddr(ip6->ip6_src)));
 		rv->Assign(6, make_intrusive<AddrVal>(IPAddr(ip6->ip6_dst)));
 		if ( ! chain )
@@ -104,8 +104,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		{
 		rv = new RecordVal(hdrType(ip6_hopopts_type, "ip6_hopopts"));
 		const struct ip6_hbh* hbh = (const struct ip6_hbh*)data;
-		rv->Assign(0, val_mgr->GetCount(hbh->ip6h_nxt));
+		rv->Assign(0, val_mgr->Count(hbh->ip6h_nxt));
-		rv->Assign(1, val_mgr->GetCount(hbh->ip6h_len));
+		rv->Assign(1, val_mgr->Count(hbh->ip6h_len));
 		uint16_t off = 2 * sizeof(uint8_t);
 		rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
 
@@ -116,8 +116,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		{
 		rv = new RecordVal(hdrType(ip6_dstopts_type, "ip6_dstopts"));
 		const struct ip6_dest* dst = (const struct ip6_dest*)data;
-		rv->Assign(0, val_mgr->GetCount(dst->ip6d_nxt));
+		rv->Assign(0, val_mgr->Count(dst->ip6d_nxt));
-		rv->Assign(1, val_mgr->GetCount(dst->ip6d_len));
+		rv->Assign(1, val_mgr->Count(dst->ip6d_len));
 		uint16_t off = 2 * sizeof(uint8_t);
 		rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
 		}
@@ -127,10 +127,10 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		{
 		rv = new RecordVal(hdrType(ip6_routing_type, "ip6_routing"));
 		const struct ip6_rthdr* rt = (const struct ip6_rthdr*)data;
-		rv->Assign(0, val_mgr->GetCount(rt->ip6r_nxt));
+		rv->Assign(0, val_mgr->Count(rt->ip6r_nxt));
-		rv->Assign(1, val_mgr->GetCount(rt->ip6r_len));
+		rv->Assign(1, val_mgr->Count(rt->ip6r_len));
-		rv->Assign(2, val_mgr->GetCount(rt->ip6r_type));
+		rv->Assign(2, val_mgr->Count(rt->ip6r_type));
-		rv->Assign(3, val_mgr->GetCount(rt->ip6r_segleft));
+		rv->Assign(3, val_mgr->Count(rt->ip6r_segleft));
 		uint16_t off = 4 * sizeof(uint8_t);
 		rv->Assign(4, make_intrusive<StringVal>(new BroString(data + off, Length() - off, true)));
 		}
@@ -140,28 +140,28 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		{
 		rv = new RecordVal(hdrType(ip6_fragment_type, "ip6_fragment"));
 		const struct ip6_frag* frag = (const struct ip6_frag*)data;
-		rv->Assign(0, val_mgr->GetCount(frag->ip6f_nxt));
+		rv->Assign(0, val_mgr->Count(frag->ip6f_nxt));
-		rv->Assign(1, val_mgr->GetCount(frag->ip6f_reserved));
+		rv->Assign(1, val_mgr->Count(frag->ip6f_reserved));
-		rv->Assign(2, val_mgr->GetCount((ntohs(frag->ip6f_offlg) & 0xfff8)>>3));
+		rv->Assign(2, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0xfff8)>>3));
-		rv->Assign(3, val_mgr->GetCount((ntohs(frag->ip6f_offlg) & 0x0006)>>1));
+		rv->Assign(3, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0x0006)>>1));
-		rv->Assign(4, val_mgr->GetBool(ntohs(frag->ip6f_offlg) & 0x0001));
+		rv->Assign(4, val_mgr->Bool(ntohs(frag->ip6f_offlg) & 0x0001));
-		rv->Assign(5, val_mgr->GetCount(ntohl(frag->ip6f_ident)));
+		rv->Assign(5, val_mgr->Count(ntohl(frag->ip6f_ident)));
 		}
 		break;
 
 	case IPPROTO_AH:
 		{
 		rv = new RecordVal(hdrType(ip6_ah_type, "ip6_ah"));
-		rv->Assign(0, val_mgr->GetCount(((ip6_ext*)data)->ip6e_nxt));
+		rv->Assign(0, val_mgr->Count(((ip6_ext*)data)->ip6e_nxt));
-		rv->Assign(1, val_mgr->GetCount(((ip6_ext*)data)->ip6e_len));
+		rv->Assign(1, val_mgr->Count(((ip6_ext*)data)->ip6e_len));
-		rv->Assign(2, val_mgr->GetCount(ntohs(((uint16_t*)data)[1])));
+		rv->Assign(2, val_mgr->Count(ntohs(((uint16_t*)data)[1])));
-		rv->Assign(3, val_mgr->GetCount(ntohl(((uint32_t*)data)[1])));
+		rv->Assign(3, val_mgr->Count(ntohl(((uint32_t*)data)[1])));
 
 		if ( Length() >= 12 )
 			{
 			// Sequence Number and ICV fields can only be extracted if
 			// Payload Len was non-zero for this header.
-			rv->Assign(4, val_mgr->GetCount(ntohl(((uint32_t*)data)[2])));
+			rv->Assign(4, val_mgr->Count(ntohl(((uint32_t*)data)[2])));
 			uint16_t off = 3 * sizeof(uint32_t);
 			rv->Assign(5, make_intrusive<StringVal>(new BroString(data + off, Length() - off, true)));
 			}
@@ -172,8 +172,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		{
 		rv = new RecordVal(hdrType(ip6_esp_type, "ip6_esp"));
 		const uint32_t* esp = (const uint32_t*)data;
-		rv->Assign(0, val_mgr->GetCount(ntohl(esp[0])));
+		rv->Assign(0, val_mgr->Count(ntohl(esp[0])));
-		rv->Assign(1, val_mgr->GetCount(ntohl(esp[1])));
+		rv->Assign(1, val_mgr->Count(ntohl(esp[1])));
 		}
 		break;
 
@@ -182,14 +182,14 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		{
 		rv = new RecordVal(hdrType(ip6_mob_type, "ip6_mobility_hdr"));
 		const struct ip6_mobility* mob = (const struct ip6_mobility*) data;
-		rv->Assign(0, val_mgr->GetCount(mob->ip6mob_payload));
+		rv->Assign(0, val_mgr->Count(mob->ip6mob_payload));
-		rv->Assign(1, val_mgr->GetCount(mob->ip6mob_len));
+		rv->Assign(1, val_mgr->Count(mob->ip6mob_len));
-		rv->Assign(2, val_mgr->GetCount(mob->ip6mob_type));
+		rv->Assign(2, val_mgr->Count(mob->ip6mob_type));
-		rv->Assign(3, val_mgr->GetCount(mob->ip6mob_rsv));
+		rv->Assign(3, val_mgr->Count(mob->ip6mob_rsv));
-		rv->Assign(4, val_mgr->GetCount(ntohs(mob->ip6mob_chksum)));
+		rv->Assign(4, val_mgr->Count(ntohs(mob->ip6mob_chksum)));
 
 		RecordVal* msg = new RecordVal(hdrType(ip6_mob_msg_type, "ip6_mobility_msg"));
-		msg->Assign(0, val_mgr->GetCount(mob->ip6mob_type));
+		msg->Assign(0, val_mgr->Count(mob->ip6mob_type));
 
 		uint16_t off = sizeof(ip6_mobility);
 		const u_char* msg_data = data + off;
@@ -198,7 +198,7 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		case 0:
 			{
 			RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_brr"));
-			m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
+			m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
 			off += sizeof(uint16_t);
 			m->Assign(1, BuildOptionsVal(data + off, Length() - off));
 			msg->Assign(1, m);
@@ -208,8 +208,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		case 1:
 			{
 			RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_hoti"));
-			m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
+			m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
-			m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
+			m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
 			off += sizeof(uint16_t) + sizeof(uint64_t);
 			m->Assign(2, BuildOptionsVal(data + off, Length() - off));
 			msg->Assign(2, m);
@@ -219,8 +219,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		case 2:
 			{
 			RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_coti"));
-			m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
+			m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
-			m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
+			m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
 			off += sizeof(uint16_t) + sizeof(uint64_t);
 			m->Assign(2, BuildOptionsVal(data + off, Length() - off));
 			msg->Assign(3, m);
@@ -230,9 +230,9 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		case 3:
 			{
 			RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_hot"));
-			m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
+			m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
-			m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
+			m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
-			m->Assign(2, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
+			m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
 			off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
 			m->Assign(3, BuildOptionsVal(data + off, Length() - off));
 			msg->Assign(4, m);
@@ -242,9 +242,9 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		case 4:
 			{
 			RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_cot"));
-			m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
+			m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
-			m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
+			m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
-			m->Assign(2, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
+			m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
 			off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
 			m->Assign(3, BuildOptionsVal(data + off, Length() - off));
 			msg->Assign(5, m);
@@ -254,12 +254,12 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		case 5:
 			{
 			RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_bu"));
-			m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
+			m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
-			m->Assign(1, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000));
+			m->Assign(1, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000));
-			m->Assign(2, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000));
+			m->Assign(2, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000));
-			m->Assign(3, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000));
+			m->Assign(3, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000));
-			m->Assign(4, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000));
+			m->Assign(4, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000));
-			m->Assign(5, val_mgr->GetCount(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
+			m->Assign(5, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
 			off += 3 * sizeof(uint16_t);
 			m->Assign(6, BuildOptionsVal(data + off, Length() - off));
 			msg->Assign(6, m);
@@ -269,10 +269,10 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		case 6:
 			{
 			RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_back"));
-			m->Assign(0, val_mgr->GetCount(*((uint8_t*)msg_data)));
+			m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data)));
-			m->Assign(1, val_mgr->GetBool(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80));
+			m->Assign(1, val_mgr->Bool(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80));
-			m->Assign(2, val_mgr->GetCount(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t))))));
+			m->Assign(2, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t))))));
-			m->Assign(3, val_mgr->GetCount(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
+			m->Assign(3, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
 			off += 3 * sizeof(uint16_t);
 			m->Assign(4, BuildOptionsVal(data + off, Length() - off));
 			msg->Assign(7, m);
@@ -282,7 +282,7 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 		case 7:
 			{
 			RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_be"));
-			m->Assign(0, val_mgr->GetCount(*((uint8_t*)msg_data)));
+			m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data)));
 			const in6_addr* hoa = (const in6_addr*)(msg_data + sizeof(uint16_t));
 			m->Assign(1, make_intrusive<AddrVal>(IPAddr(*hoa)));
 			off += sizeof(uint16_t) + sizeof(in6_addr);
@@ -335,12 +335,12 @@ RecordVal* IP_Hdr::BuildIPHdrVal() const
 	if ( ip4 )
 		{
 		rval = new RecordVal(hdrType(ip4_hdr_type, "ip4_hdr"));
-		rval->Assign(0, val_mgr->GetCount(ip4->ip_hl * 4));
+		rval->Assign(0, val_mgr->Count(ip4->ip_hl * 4));
-		rval->Assign(1, val_mgr->GetCount(ip4->ip_tos));
+		rval->Assign(1, val_mgr->Count(ip4->ip_tos));
-		rval->Assign(2, val_mgr->GetCount(ntohs(ip4->ip_len)));
+		rval->Assign(2, val_mgr->Count(ntohs(ip4->ip_len)));
-		rval->Assign(3, val_mgr->GetCount(ntohs(ip4->ip_id)));
+		rval->Assign(3, val_mgr->Count(ntohs(ip4->ip_id)));
-		rval->Assign(4, val_mgr->GetCount(ip4->ip_ttl));
+		rval->Assign(4, val_mgr->Count(ip4->ip_ttl));
-		rval->Assign(5, val_mgr->GetCount(ip4->ip_p));
+		rval->Assign(5, val_mgr->Count(ip4->ip_p));
 		rval->Assign(6, make_intrusive<AddrVal>(ip4->ip_src.s_addr));
 		rval->Assign(7, make_intrusive<AddrVal>(ip4->ip_dst.s_addr));
 		}
@@ -394,15 +394,15 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
 		int tcp_hdr_len = tp->th_off * 4;
 		int data_len = PayloadLen() - tcp_hdr_len;
 
-		tcp_hdr->Assign(0, val_mgr->GetPort(ntohs(tp->th_sport), TRANSPORT_TCP));
+		tcp_hdr->Assign(0, val_mgr->Port(ntohs(tp->th_sport), TRANSPORT_TCP));
-		tcp_hdr->Assign(1, val_mgr->GetPort(ntohs(tp->th_dport), TRANSPORT_TCP));
+		tcp_hdr->Assign(1, val_mgr->Port(ntohs(tp->th_dport), TRANSPORT_TCP));
-		tcp_hdr->Assign(2, val_mgr->GetCount(uint32_t(ntohl(tp->th_seq))));
+		tcp_hdr->Assign(2, val_mgr->Count(uint32_t(ntohl(tp->th_seq))));
-		tcp_hdr->Assign(3, val_mgr->GetCount(uint32_t(ntohl(tp->th_ack))));
+		tcp_hdr->Assign(3, val_mgr->Count(uint32_t(ntohl(tp->th_ack))));
-		tcp_hdr->Assign(4, val_mgr->GetCount(tcp_hdr_len));
+		tcp_hdr->Assign(4, val_mgr->Count(tcp_hdr_len));
-		tcp_hdr->Assign(5, val_mgr->GetCount(data_len));
+		tcp_hdr->Assign(5, val_mgr->Count(data_len));
-		tcp_hdr->Assign(6, val_mgr->GetCount(tp->th_x2));
+		tcp_hdr->Assign(6, val_mgr->Count(tp->th_x2));
-		tcp_hdr->Assign(7, val_mgr->GetCount(tp->th_flags));
+		tcp_hdr->Assign(7, val_mgr->Count(tp->th_flags));
-		tcp_hdr->Assign(8, val_mgr->GetCount(ntohs(tp->th_win)));
+		tcp_hdr->Assign(8, val_mgr->Count(ntohs(tp->th_win)));
 
 		pkt_hdr->Assign(sindex + 2, tcp_hdr);
 		break;
@@ -413,9 +413,9 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
 		const struct udphdr* up = (const struct udphdr*) data;
 		RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
 
-		udp_hdr->Assign(0, val_mgr->GetPort(ntohs(up->uh_sport), TRANSPORT_UDP));
+		udp_hdr->Assign(0, val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP));
-		udp_hdr->Assign(1, val_mgr->GetPort(ntohs(up->uh_dport), TRANSPORT_UDP));
+		udp_hdr->Assign(1, val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP));
-		udp_hdr->Assign(2, val_mgr->GetCount(ntohs(up->uh_ulen)));
+		udp_hdr->Assign(2, val_mgr->Count(ntohs(up->uh_ulen)));
 
 		pkt_hdr->Assign(sindex + 3, udp_hdr);
 		break;
@@ -426,7 +426,7 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
 		const struct icmp* icmpp = (const struct icmp *) data;
 		RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
 
-		icmp_hdr->Assign(0, val_mgr->GetCount(icmpp->icmp_type));
+		icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp_type));
 
 		pkt_hdr->Assign(sindex + 4, icmp_hdr);
 		break;
@@ -437,7 +437,7 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
 		const struct icmp6_hdr* icmpp = (const struct icmp6_hdr*) data;
 		RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
 
-		icmp_hdr->Assign(0, val_mgr->GetCount(icmpp->icmp6_type));
+		icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp6_type));
 
 		pkt_hdr->Assign(sindex + 4, icmp_hdr);
 		break;
@@ -696,7 +696,7 @@ VectorVal* IPv6_Hdr_Chain::BuildVal() const
 		RecordVal* v = chain[i]->BuildRecordVal();
 		RecordVal* ext_hdr = new RecordVal(ip6_ext_hdr_type);
 		uint8_t type = chain[i]->Type();
-		ext_hdr->Assign(0, val_mgr->GetCount(type));
+		ext_hdr->Assign(0, val_mgr->Count(type));
 
 		switch (type) {
 		case IPPROTO_HOPOPTS:

src/Net.cc

@@ -223,8 +223,13 @@ void expire_timers(iosource::PktSrc* src_ps)
 void net_packet_dispatch(double t, const Packet* pkt, iosource::PktSrc* src_ps)
 	{
 	if ( ! bro_start_network_time )
+		{
 		bro_start_network_time = t;
 
+		if ( network_time_init )
+			mgr.Enqueue(network_time_init, zeek::Args{});
+		}
+
 	// network_time never goes back.
 	net_update_time(timer_mgr->Time() < t ? t : timer_mgr->Time());
 

src/OpaqueVal.cc

@@ -171,8 +171,7 @@ bool HashVal::Init()
 IntrusivePtr<StringVal> HashVal::Get()
 	{
 	if ( ! valid )
-		return IntrusivePtr<StringVal>(AdoptRef{},
+		return val_mgr->EmptyString();
-					       val_mgr->GetEmptyString());
 
 	auto result = DoGet();
 	valid = false;
@@ -203,7 +202,7 @@ bool HashVal::DoFeed(const void*, size_t)
 IntrusivePtr<StringVal> HashVal::DoGet()
 	{
 	assert(! "missing implementation of DoGet()");
-	return IntrusivePtr<StringVal>(AdoptRef{}, val_mgr->GetEmptyString());
+	return val_mgr->EmptyString();
 	}
 
 HashVal::HashVal(OpaqueType* t) : OpaqueVal(t)
@@ -275,7 +274,7 @@ bool MD5Val::DoFeed(const void* data, size_t size)
 IntrusivePtr<StringVal> MD5Val::DoGet()
 	{
 	if ( ! IsValid() )
-		return IntrusivePtr<StringVal>(AdoptRef{}, val_mgr->GetEmptyString());
+		return val_mgr->EmptyString();
 
 	u_char digest[MD5_DIGEST_LENGTH];
 	hash_final(ctx, digest);
@@ -395,8 +394,7 @@ bool SHA1Val::DoFeed(const void* data, size_t size)
 IntrusivePtr<StringVal> SHA1Val::DoGet()
 	{
 	if ( ! IsValid() )
-		return IntrusivePtr<StringVal>(AdoptRef{},
+		return val_mgr->EmptyString();
-		                               val_mgr->GetEmptyString());
 
 	u_char digest[SHA_DIGEST_LENGTH];
 	hash_final(ctx, digest);
@@ -519,8 +517,7 @@ bool SHA256Val::DoFeed(const void* data, size_t size)
 IntrusivePtr<StringVal> SHA256Val::DoGet()
 	{
 	if ( ! IsValid() )
-		return IntrusivePtr<StringVal>(AdoptRef{},
+		return val_mgr->EmptyString();
-		                               val_mgr->GetEmptyString());
 
 	u_char digest[SHA256_DIGEST_LENGTH];
 	hash_final(ctx, digest);

src/Reporter.cc

@@ -355,7 +355,7 @@ void Reporter::Weird(Connection* conn, const char* name, const char* addl)
 			return;
 		}
 
-	WeirdHelper(conn_weird, {conn->BuildConnVal(), new StringVal(addl)},
+	WeirdHelper(conn_weird, {conn->ConnVal()->Ref(), new StringVal(addl)},
 	            "%s", name);
 	}
 
@@ -492,7 +492,7 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 			vl.emplace_back(make_intrusive<StringVal>(loc_str.c_str()));
 
 		if ( conn )
-			vl.emplace_back(AdoptRef{}, conn->BuildConnVal());
+			vl.emplace_back(conn->ConnVal());
 
 		if ( addl )
 			for ( auto v : *addl )

src/RuleAction.cc

@@ -24,7 +24,7 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
 		mgr.Enqueue(signature_match,
 			IntrusivePtr{AdoptRef{}, rule_matcher->BuildRuleStateValue(parent, state)},
 			make_intrusive<StringVal>(msg),
-			data ? make_intrusive<StringVal>(len, (const char*)data) : IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()}
+			data ? make_intrusive<StringVal>(len, (const char*)data) : val_mgr->EmptyString()
 		);
 	}
 

src/RuleCondition.cc

@@ -174,7 +174,7 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
 	if ( data )
 		args.emplace_back(make_intrusive<StringVal>(len, (const char*) data));
 	else
-		args.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
+		args.emplace_back(val_mgr->EmptyString());
 
 	bool result = false;
 

src/RuleMatcher.cc

@@ -81,9 +81,9 @@ Val* RuleMatcher::BuildRuleStateValue(const Rule* rule,
 	{
 	RecordVal* val = new RecordVal(signature_state);
 	val->Assign(0, make_intrusive<StringVal>(rule->ID()));
-	val->Assign(1, state->GetAnalyzer()->BuildConnVal());
+	val->Assign(1, state->GetAnalyzer()->ConnVal());
-	val->Assign(2, val_mgr->GetBool(state->is_orig));
+	val->Assign(2, val_mgr->Bool(state->is_orig));
-	val->Assign(3, val_mgr->GetCount(state->payload_size));
+	val->Assign(3, val_mgr->Count(state->payload_size));
 	return val;
 	}
 

src/Sessions.cc

@@ -691,12 +691,14 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 	if ( ipv6_ext_headers && ip_hdr->NumHeaders() > 1 )
 		{
 		pkt_hdr_val = ip_hdr->BuildPktHdrVal();
-		conn->Event(ipv6_ext_headers, nullptr, pkt_hdr_val);
+		conn->EnqueueEvent(ipv6_ext_headers, nullptr, conn->ConnVal(),
+		                   IntrusivePtr{AdoptRef{}, pkt_hdr_val});
 		}
 
 	if ( new_packet )
-		conn->Event(new_packet, nullptr,
+		conn->EnqueueEvent(new_packet, nullptr, conn->ConnVal(), pkt_hdr_val ?
-		        pkt_hdr_val ? pkt_hdr_val->Ref() : ip_hdr->BuildPktHdrVal());
+		                   IntrusivePtr{NewRef{}, pkt_hdr_val} :
+		                   IntrusivePtr{AdoptRef{}, ip_hdr->BuildPktHdrVal()});
 
 	conn->NextPacket(t, is_orig, ip_hdr, len, caplen, data,
 				record_packet, record_content, pkt);

src/SmithWaterman.cc

@@ -95,13 +95,13 @@ VectorVal* BroSubstring::VecToPolicy(Vec* vec)
 
 				auto align_val = make_intrusive<RecordVal>(sw_align_type);
 				align_val->Assign(0, make_intrusive<StringVal>(new BroString(*align.string)));
-				align_val->Assign(1, val_mgr->GetCount(align.index));
+				align_val->Assign(1, val_mgr->Count(align.index));
 
 				aligns->Assign(j + 1, std::move(align_val));
 				}
 
 			st_val->Assign(1, std::move(aligns));
-			st_val->Assign(2, val_mgr->GetBool(bst->IsNewAlignment()));
+			st_val->Assign(2, val_mgr->Bool(bst->IsNewAlignment()));
 			result->Assign(i + 1, std::move(st_val));
 			}
 		}

src/Stats.cc

@@ -314,7 +314,7 @@ void ProfileLogger::Log()
 		Ref(file);
 		mgr.Dispatch(new Event(profiling_update, {
 			make_intrusive<Val>(file),
-			{AdoptRef{}, val_mgr->GetBool(expensive)},
+			val_mgr->Bool(expensive),
 		}));
 		}
 	}
@@ -374,7 +374,7 @@ void SampleLogger::SegmentProfile(const char* /* name */,
 		mgr.Enqueue(load_sample,
 			IntrusivePtr{NewRef{}, load_samples},
 			make_intrusive<IntervalVal>(dtime, Seconds),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetInt(dmem)}
+			val_mgr->Int(dmem)
 		);
 	}
 

src/Stmt.cc

@@ -1232,8 +1232,7 @@ IntrusivePtr<Val> ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
 
 			// Set the loop variable to the current index, and make
 			// another pass over the loop body.
-			f->SetElement((*loop_vars)[0],
+			f->SetElement((*loop_vars)[0], val_mgr->Count(i).release());
-					val_mgr->GetCount(i));
 			flow = FLOW_NEXT;
 			ret = body->Exec(f, flow);
 

src/Timer.cc

@@ -93,7 +93,7 @@ void TimerMgr::Process()
 	// pseudo-realtime), advance the timer here to the current time since otherwise it won't
 	// move forward and the timers won't fire correctly.
 	iosource::PktSrc* pkt_src = iosource_mgr->GetPktSrc();
-	if ( ! pkt_src || ! pkt_src->IsOpen() || reading_live )
+	if ( ! pkt_src || ! pkt_src->IsOpen() || reading_live || net_is_processing_suspended() )
 		net_update_time(current_time());
 
 	// Just advance the timer manager based on the current network time. This won't actually

src/TunnelEncapsulation.cc

@@ -22,9 +22,9 @@ RecordVal* EncapsulatingConn::GetRecordVal() const
 
 	auto id_val = make_intrusive<RecordVal>(conn_id);
 	id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
-	id_val->Assign(1, val_mgr->GetPort(ntohs(src_port), proto));
+	id_val->Assign(1, val_mgr->Port(ntohs(src_port), proto));
 	id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
-	id_val->Assign(3, val_mgr->GetPort(ntohs(dst_port), proto));
+	id_val->Assign(3, val_mgr->Port(ntohs(dst_port), proto));
 	rv->Assign(0, std::move(id_val));
 	rv->Assign(1, BifType::Enum::Tunnel::Type->GetVal(type));
 

src/Type.cc

@@ -840,7 +840,7 @@ IntrusivePtr<TableVal> RecordType::GetRecordFieldsVal(const RecordVal* rv) const
 
 		string s = container_type_name(ft);
 		nr->Assign(0, make_intrusive<StringVal>(s));
-		nr->Assign(1, val_mgr->GetBool(logged));
+		nr->Assign(1, val_mgr->Bool(logged));
 		nr->Assign(2, fv);
 		nr->Assign(3, FieldDefault(i));
 		Val* field_name = new StringVal(FieldName(i));
@@ -1615,7 +1615,12 @@ bool same_type(const BroType* t1, const BroType* t2, bool is_init, bool match_re
 		}
 
 	case TYPE_TYPE:
-		return same_type(t1, t2, is_init, match_record_field_names);
+		{
+		auto tt1 = t1->AsTypeType();
+		auto tt2 = t2->AsTypeType();
+		return same_type(tt1->Type(), tt1->Type(),
+		                 is_init, match_record_field_names);
+		}
 
 	case TYPE_UNION:
 		reporter->Error("union type in same_type()");

src/Type.h

@@ -507,6 +507,7 @@ public:
 	TypeType* ShallowClone() override { return new TypeType(type); }
 
 	BroType* Type()			{ return type.get(); }
+	const BroType* Type() const	{ return type.get(); }
 
 protected:
 	IntrusivePtr<BroType> type;

src/Val.cc

@@ -136,6 +136,10 @@ IntrusivePtr<Val> Val::DoClone(CloneState* state)
 			return {NewRef{}, this};
 			}
 
+		if ( type->Tag() == TYPE_TYPE )
+			// These are immutable, essentially.
+			return {NewRef{}, this};
+
 		// Fall-through.
 
 	default:
@@ -250,19 +254,19 @@ IntrusivePtr<Val> Val::SizeVal() const
 		// Return abs value. However abs() only works on ints and llabs
 		// doesn't work on Mac OS X 10.5. So we do it by hand
 		if ( val.int_val < 0 )
-			return {AdoptRef{}, val_mgr->GetCount(-val.int_val)};
+			return val_mgr->Count(-val.int_val);
 		else
-			return {AdoptRef{}, val_mgr->GetCount(val.int_val)};
+			return val_mgr->Count(val.int_val);
 
 	case TYPE_INTERNAL_UNSIGNED:
-		return {AdoptRef{}, val_mgr->GetCount(val.uint_val)};
+		return val_mgr->Count(val.uint_val);
 
 	case TYPE_INTERNAL_DOUBLE:
 		return make_intrusive<Val>(fabs(val.double_val), TYPE_DOUBLE);
 
 	case TYPE_INTERNAL_OTHER:
 		if ( type->Tag() == TYPE_FUNC )
-			return {AdoptRef{}, val_mgr->GetCount(val.func_val->FType()->ArgTypes()->Types()->length())};
+			return val_mgr->Count(val.func_val->FType()->ArgTypes()->Types()->length());
 
 		if ( type->Tag() == TYPE_FILE )
 			return make_intrusive<Val>(val.file_val->Size(), TYPE_DOUBLE);
@@ -272,7 +276,7 @@ IntrusivePtr<Val> Val::SizeVal() const
 		break;
 	}
 
-	return {AdoptRef{}, val_mgr->GetCount(0)};
+	return val_mgr->Count(0);
 	}
 
 unsigned int Val::MemoryAllocation() const
@@ -583,9 +587,8 @@ static void BuildJSON(threading::formatter::JSON::NullDoubleWriter& writer, Val*
 						{
 						auto blank = make_intrusive<StringVal>("");
 						auto fn_val = make_intrusive<StringVal>(field_name);
-						auto key_val = fn_val->Substitute(re, blank.get(), false)->AsStringVal();
+						auto key_val = fn_val->Substitute(re, blank.get(), false);
 						key_str = key_val->ToStdString();
-						Unref(key_val);
 						}
 					else
 						key_str = field_name;
@@ -732,7 +735,7 @@ void IntervalVal::ValDescribe(ODesc* d) const
 
 IntrusivePtr<Val> PortVal::SizeVal() const
 	{
-	return {AdoptRef{}, val_mgr->GetInt(val.uint_val)};
+	return val_mgr->Int(val.uint_val);
 	}
 
 uint32_t PortVal::Mask(uint32_t port_num, TransportProto port_type)
@@ -851,9 +854,9 @@ unsigned int AddrVal::MemoryAllocation() const
 IntrusivePtr<Val> AddrVal::SizeVal() const
 	{
 	if ( val.addr_val->GetFamily() == IPv4 )
-		return {AdoptRef{}, val_mgr->GetCount(32)};
+		return val_mgr->Count(32);
 	else
-		return {AdoptRef{}, val_mgr->GetCount(128)};
+		return val_mgr->Count(128);
 	}
 
 IntrusivePtr<Val> AddrVal::DoClone(CloneState* state)
@@ -979,7 +982,7 @@ StringVal::StringVal(const string& s) : StringVal(s.length(), s.data())
 
 IntrusivePtr<Val> StringVal::SizeVal() const
 	{
-	return {AdoptRef{}, val_mgr->GetCount(val.string_val->Len())};
+	return val_mgr->Count(val.string_val->Len());
 	}
 
 int StringVal::Len()
@@ -1024,7 +1027,7 @@ unsigned int StringVal::MemoryAllocation() const
 	return padded_sizeof(*this) + val.string_val->MemoryAllocation();
 	}
 
-Val* StringVal::Substitute(RE_Matcher* re, StringVal* repl, bool do_all)
+IntrusivePtr<StringVal> StringVal::Substitute(RE_Matcher* re, StringVal* repl, bool do_all)
 	{
 	const u_char* s = Bytes();
 	int offset = 0;
@@ -1105,7 +1108,7 @@ Val* StringVal::Substitute(RE_Matcher* re, StringVal* repl, bool do_all)
 	// the NUL.
 	r[0] = '\0';
 
-	return new StringVal(new BroString(true, result, r - result));
+	return make_intrusive<StringVal>(new BroString(true, result, r - result));
 	}
 
 IntrusivePtr<Val> StringVal::DoClone(CloneState* state)
@@ -1193,7 +1196,7 @@ ListVal::~ListVal()
 
 IntrusivePtr<Val> ListVal::SizeVal() const
 	{
-	return {AdoptRef{}, val_mgr->GetCount(vals.length())};
+	return val_mgr->Count(vals.length());
 	}
 
 RE_Matcher* ListVal::BuildRE() const
@@ -1564,7 +1567,7 @@ bool TableVal::Assign(Val* index, HashKey* k, Val* new_val)
 
 IntrusivePtr<Val> TableVal::SizeVal() const
 	{
-	return {AdoptRef{}, val_mgr->GetCount(Size())};
+	return val_mgr->Count(Size());
 	}
 
 bool TableVal::AddTo(Val* val, bool is_first_init) const
@@ -2683,7 +2686,7 @@ RecordVal::~RecordVal()
 
 IntrusivePtr<Val> RecordVal::SizeVal() const
 	{
-	return {AdoptRef{}, val_mgr->GetCount(Type()->AsRecordType()->NumFields())};
+	return val_mgr->Count(Type()->AsRecordType()->NumFields());
 	}
 
 void RecordVal::Assign(int field, IntrusivePtr<Val> new_val)
@@ -2931,7 +2934,7 @@ unsigned int RecordVal::MemoryAllocation() const
 
 IntrusivePtr<Val> EnumVal::SizeVal() const
 	{
-	return {AdoptRef{}, val_mgr->GetInt(val.int_val)};
+	return val_mgr->Int(val.int_val);
 	}
 
 void EnumVal::ValDescribe(ODesc* d) const
@@ -2968,7 +2971,7 @@ VectorVal::~VectorVal()
 
 IntrusivePtr<Val> VectorVal::SizeVal() const
 	{
-	return {AdoptRef{}, val_mgr->GetCount(uint32_t(val.vector_val->size()))};
+	return val_mgr->Count(uint32_t(val.vector_val->size()));
 	}
 
 bool VectorVal::Assign(unsigned int index, IntrusivePtr<Val> element)
@@ -3205,7 +3208,7 @@ IntrusivePtr<Val> check_and_promote(IntrusivePtr<Val> v, const BroType* t,
 			return nullptr;
 			}
 		else if ( t_tag == TYPE_INT )
-			promoted_v = {AdoptRef{}, val_mgr->GetInt(v->CoerceToInt())};
+			promoted_v = val_mgr->Int(v->CoerceToInt());
 		else // enum
 			{
 			reporter->InternalError("bad internal type in check_and_promote()");
@@ -3221,7 +3224,7 @@ IntrusivePtr<Val> check_and_promote(IntrusivePtr<Val> v, const BroType* t,
 			return nullptr;
 			}
 		else if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER )
-			promoted_v = {AdoptRef{}, val_mgr->GetCount(v->CoerceToUnsigned())};
+			promoted_v = val_mgr->Count(v->CoerceToUnsigned());
 		else // port
 			{
 			reporter->InternalError("bad internal type in check_and_promote()");
@@ -3398,13 +3401,26 @@ bool can_cast_value_to_type(const BroType* s, BroType* t)
 	return false;
 	}
 
+IntrusivePtr<Val> Val::MakeBool(bool b)
+	{
+	return IntrusivePtr{AdoptRef{}, new Val(bro_int_t(b), TYPE_BOOL)};
+	}
+
+IntrusivePtr<Val> Val::MakeInt(bro_int_t i)
+	{
+	return IntrusivePtr{AdoptRef{}, new Val(i, TYPE_INT)};
+	}
+
+IntrusivePtr<Val> Val::MakeCount(bro_uint_t u)
+	{
+	return IntrusivePtr{AdoptRef{}, new Val(u, TYPE_COUNT)};
+	}
+
 ValManager::ValManager()
 	{
-	empty_string = new StringVal("");
+	empty_string = make_intrusive<StringVal>("");
 	b_false = Val::MakeBool(false);
 	b_true = Val::MakeBool(true);
-	counts = new Val*[PREALLOCATED_COUNTS];
-	ints = new Val*[PREALLOCATED_INTS];
 
 	for ( auto i = 0u; i < PREALLOCATED_COUNTS; ++i )
 		counts[i] = Val::MakeCount(i);
@@ -3418,37 +3434,16 @@ ValManager::ValManager()
 		auto port_type = (TransportProto)i;
 
 		for ( auto j = 0u; j < arr.size(); ++j )
-			arr[j] = new PortVal(PortVal::Mask(j, port_type));
+			arr[j] = IntrusivePtr{AdoptRef{}, new PortVal(PortVal::Mask(j, port_type))};
 		}
 	}
 
-ValManager::~ValManager()
-	{
-	Unref(empty_string);
-	Unref(b_true);
-	Unref(b_false);
-
-	for ( auto i = 0u; i < PREALLOCATED_COUNTS; ++i )
-		Unref(counts[i]);
-
-	for ( auto i = 0u; i < PREALLOCATED_INTS; ++i )
-		Unref(ints[i]);
-
-	delete [] counts;
-	delete [] ints;
-
-	for ( auto& arr : ports )
-		for ( auto& pv : arr )
-			Unref(pv);
-	}
-
 StringVal* ValManager::GetEmptyString() const
 	{
-	::Ref(empty_string);
+	return empty_string->Ref()->AsStringVal();
-	return empty_string;
 	}
 
-PortVal* ValManager::GetPort(uint32_t port_num, TransportProto port_type) const
+const IntrusivePtr<PortVal>& ValManager::Port(uint32_t port_num, TransportProto port_type) const
 	{
 	if ( port_num >= 65536 )
 		{
@@ -3456,22 +3451,30 @@ PortVal* ValManager::GetPort(uint32_t port_num, TransportProto port_type) const
 		port_num = 0;
 		}
 
-	auto rval = ports[port_type][port_num];
+	return ports[port_type][port_num];
-	::Ref(rval);
-	return rval;
 	}
 
-PortVal* ValManager::GetPort(uint32_t port_num) const
+PortVal* ValManager::GetPort(uint32_t port_num, TransportProto port_type) const
+	{
+	return Port(port_num, port_type)->Ref()->AsPortVal();
+	}
+
+const IntrusivePtr<PortVal>& ValManager::Port(uint32_t port_num) const
 	{
 	auto mask = port_num & PORT_SPACE_MASK;
 	port_num &= ~PORT_SPACE_MASK;
 
 	if ( mask == TCP_PORT_MASK )
-		return GetPort(port_num, TRANSPORT_TCP);
+		return Port(port_num, TRANSPORT_TCP);
 	else if ( mask == UDP_PORT_MASK )
-		return GetPort(port_num, TRANSPORT_UDP);
+		return Port(port_num, TRANSPORT_UDP);
 	else if ( mask == ICMP_PORT_MASK )
-		return GetPort(port_num, TRANSPORT_ICMP);
+		return Port(port_num, TRANSPORT_ICMP);
 	else
-		return GetPort(port_num, TRANSPORT_UNKNOWN);
+		return Port(port_num, TRANSPORT_UNKNOWN);
+	}
+
+PortVal* ValManager::GetPort(uint32_t port_num) const
+	{
+	return Port(port_num)->Ref()->AsPortVal();
 	}

src/Val.h

@@ -335,20 +335,9 @@ protected:
 	virtual void ValDescribe(ODesc* d) const;
 	virtual void ValDescribeReST(ODesc* d) const;
 
-	static Val* MakeBool(bool b)
+	static IntrusivePtr<Val> MakeBool(bool b);
-		{
+	static IntrusivePtr<Val> MakeInt(bro_int_t i);
-		return new Val(bro_int_t(b), TYPE_BOOL);
+	static IntrusivePtr<Val> MakeCount(bro_uint_t u);
-		}
-
-	static Val* MakeInt(bro_int_t i)
-		{
-		return new Val(i, TYPE_INT);
-		}
-
-	static Val* MakeCount(bro_uint_t u)
-		{
-		return new Val(u, TYPE_COUNT);
-		}
 
 	template<typename V>
 	Val(V &&v, TypeTag t) noexcept
@@ -406,44 +395,79 @@ public:
 
 	ValManager();
 
-	~ValManager();
+	[[deprecated("Remove in v4.1.  Use val_mgr->True() instead.")]]
-
 	inline Val* GetTrue() const
 		{ return b_true->Ref(); }
 
+	inline const IntrusivePtr<Val>& True() const
+		{ return b_true; }
+
+	[[deprecated("Remove in v4.1.  Use val_mgr->False() instead.")]]
 	inline Val* GetFalse() const
 		{ return b_false->Ref(); }
 
+	inline const IntrusivePtr<Val>& False() const
+		{ return b_false; }
+
+	[[deprecated("Remove in v4.1.  Use val_mgr->Bool() instead.")]]
 	inline Val* GetBool(bool b) const
 		{ return b ? b_true->Ref() : b_false->Ref(); }
 
+	inline const IntrusivePtr<Val>& Bool(bool b) const
+		{ return b ? b_true : b_false; }
+
+	[[deprecated("Remove in v4.1.  Use val_mgr->Int() instead.")]]
 	inline Val* GetInt(int64_t i) const
 		{
 		return i < PREALLOCATED_INT_LOWEST || i > PREALLOCATED_INT_HIGHEST ?
-		    Val::MakeInt(i) : ints[i - PREALLOCATED_INT_LOWEST]->Ref();
+		    Val::MakeInt(i).release() : ints[i - PREALLOCATED_INT_LOWEST]->Ref();
 		}
 
+	inline IntrusivePtr<Val> Int(int64_t i) const
+		{
+		return i < PREALLOCATED_INT_LOWEST || i > PREALLOCATED_INT_HIGHEST ?
+		    Val::MakeInt(i) : ints[i - PREALLOCATED_INT_LOWEST];
+		}
+
+	[[deprecated("Remove in v4.1.  Use val_mgr->Count() instead.")]]
 	inline Val* GetCount(uint64_t i) const
 		{
-		return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i) : counts[i]->Ref();
+		return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i).release() : counts[i]->Ref();
 		}
 
+	inline IntrusivePtr<Val> Count(uint64_t i) const
+		{
+		return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i) : counts[i];
+		}
+
+	[[deprecated("Remove in v4.1.  Use val_mgr->EmptyString() instead.")]]
 	StringVal* GetEmptyString() const;
 
+	inline const IntrusivePtr<StringVal>& EmptyString() const
+		{ return empty_string; }
+
 	// Port number given in host order.
+	[[deprecated("Remove in v4.1.  Use val_mgr->Port() instead.")]]
 	PortVal* GetPort(uint32_t port_num, TransportProto port_type) const;
 
+	// Port number given in host order.
+	const IntrusivePtr<PortVal>& Port(uint32_t port_num, TransportProto port_type) const;
+
 	// Host-order port number already masked with port space protocol mask.
+	[[deprecated("Remove in v4.1.  Use val_mgr->Port() instead.")]]
 	PortVal* GetPort(uint32_t port_num) const;
 
+	// Host-order port number already masked with port space protocol mask.
+	const IntrusivePtr<PortVal>& Port(uint32_t port_num) const;
+
 private:
 
-	std::array<std::array<PortVal*, 65536>, NUM_PORT_SPACES> ports;
+	std::array<std::array<IntrusivePtr<PortVal>, 65536>, NUM_PORT_SPACES> ports;
-	StringVal* empty_string;
+	std::array<IntrusivePtr<Val>, PREALLOCATED_COUNTS> counts;
-	Val* b_true;
+	std::array<IntrusivePtr<Val>, PREALLOCATED_INTS> ints;
-	Val* b_false;
+	IntrusivePtr<StringVal> empty_string;
-	Val** counts;
+	IntrusivePtr<Val> b_true;
-	Val** ints;
+	IntrusivePtr<Val> b_false;
 };
 
 extern ValManager* val_mgr;
@@ -569,7 +593,7 @@ public:
 
 	unsigned int MemoryAllocation() const override;
 
-	Val* Substitute(RE_Matcher* re, StringVal* repl, bool do_all);
+	IntrusivePtr<StringVal> Substitute(RE_Matcher* re, StringVal* repl, bool do_all);
 
 protected:
 	void ValDescribe(ODesc* d) const override;

src/analyzer/Analyzer.cc

@@ -690,9 +690,9 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
 	EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal();
 
 	mgr.Enqueue(protocol_confirmation,
-		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		ConnVal(),
 		IntrusivePtr{NewRef{}, tval},
-		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(id)}
+		val_mgr->Count(id)
 	);
 	}
 
@@ -717,9 +717,9 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
 	EnumVal* tval = tag.AsEnumVal();
 
 	mgr.Enqueue(protocol_violation,
-		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		ConnVal(),
 		IntrusivePtr{NewRef{}, tval},
-		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(id)},
+		val_mgr->Count(id),
 		IntrusivePtr{AdoptRef{}, r}
 	);
 	}
@@ -788,7 +788,12 @@ void Analyzer::UpdateConnVal(RecordVal *conn_val)
 
 RecordVal* Analyzer::BuildConnVal()
 	{
-	return conn->BuildConnVal();
+	return conn->ConnVal()->Ref()->AsRecordVal();
+	}
+
+const IntrusivePtr<RecordVal>& Analyzer::ConnVal()
+	{
+	return conn->ConnVal();
 	}
 
 void Analyzer::Event(EventHandlerPtr f, const char* name)
@@ -798,7 +803,11 @@ void Analyzer::Event(EventHandlerPtr f, const char* name)
 
 void Analyzer::Event(EventHandlerPtr f, Val* v1, Val* v2)
 	{
-	conn->Event(f, this, v1, v2);
+	IntrusivePtr val1{AdoptRef{}, v1};
+	IntrusivePtr val2{AdoptRef{}, v2};
+
+	if ( f )
+		conn->EnqueueEvent(f, this, conn->ConnVal(), std::move(val1), std::move(val2));
 	}
 
 void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list* vl)
@@ -930,7 +939,7 @@ void TransportLayerAnalyzer::PacketContents(const u_char* data, int len)
 	if ( packet_contents && len > 0 )
 		{
 		BroString* cbs = new BroString(data, len, true);
-		Val* contents = new StringVal(cbs);
+		auto contents = make_intrusive<StringVal>(cbs);
-		Event(packet_contents, contents);
+		EnqueueConnEvent(packet_contents, ConnVal(), std::move(contents));
 		}
 	}

src/analyzer/Analyzer.h

@@ -549,8 +549,15 @@ public:
 	 * Convenience function that forwards directly to
 	 * Connection::BuildConnVal().
 	 */
+	[[deprecated("Remove in v4.1.  Use ConnVal() instead.")]]
 	RecordVal* BuildConnVal();
 
+	/**
+	 * Convenience function that forwards directly to
+	 * Connection::ConnVal().
+	 */
+	const IntrusivePtr<RecordVal>& ConnVal();
+
 	/**
 	 * Convenience function that forwards directly to the corresponding
 	 * Connection::Event().
@@ -561,6 +568,7 @@ public:
 	 * Convenience function that forwards directly to the corresponding
 	 * Connection::Event().
 	 */
+	[[deprecated("Remove in v4.1.  Use EnqueueConnEvent() instead (note it doesn't automatically ad the connection argument).")]]
 	void Event(EventHandlerPtr f, Val* v1, Val* v2 = nullptr);
 
 	/**

src/analyzer/Manager.cc

@@ -440,15 +440,13 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 
 		if ( tcp_contents && ! reass )
 			{
-			auto dport = val_mgr->GetPort(ntohs(conn->RespPort()), TRANSPORT_TCP);
+			const auto& dport = val_mgr->Port(ntohs(conn->RespPort()), TRANSPORT_TCP);
 
 			if ( ! reass )
-				reass = (bool)tcp_content_delivery_ports_orig->Lookup(dport);
+				reass = (bool)tcp_content_delivery_ports_orig->Lookup(dport.get());
 
 			if ( ! reass )
-				reass = (bool)tcp_content_delivery_ports_resp->Lookup(dport);
+				reass = (bool)tcp_content_delivery_ports_resp->Lookup(dport.get());
-
-			Unref(dport);
 			}
 
 		if ( reass )
@@ -626,9 +624,10 @@ bool Manager::ApplyScheduledAnalyzers(Connection* conn, bool init, TransportLaye
 
 		parent->AddChildAnalyzer(analyzer, init);
 
-		EnumVal* tag = it->AsEnumVal();
+		if ( scheduled_analyzer_applied )
-		Ref(tag);
+			conn->EnqueueEvent(scheduled_analyzer_applied, nullptr,
-		conn->Event(scheduled_analyzer_applied, nullptr, tag);
+			                   conn->ConnVal(),
+			                   IntrusivePtr{NewRef{}, it->AsEnumVal()});
 
 		DBG_ANALYZER_ARGS(conn, "activated %s analyzer as scheduled",
 		                  analyzer_mgr->GetComponentName(*it).c_str());

src/analyzer/analyzer.bif

@@ -11,41 +11,41 @@ module Analyzer;
 function Analyzer::__enable_analyzer%(id: Analyzer::Tag%) : bool
 	%{
 	bool result = analyzer_mgr->EnableAnalyzer(id->AsEnumVal());
-	return val_mgr->GetBool(result);
+	return val_mgr->Bool(result);
 	%}
 
 function Analyzer::__disable_analyzer%(id: Analyzer::Tag%) : bool
 	%{
 	bool result = analyzer_mgr->DisableAnalyzer(id->AsEnumVal());
-	return val_mgr->GetBool(result);
+	return val_mgr->Bool(result);
 	%}
 
 function Analyzer::__disable_all_analyzers%(%) : any
 	%{
 	analyzer_mgr->DisableAllAnalyzers();
-	return 0;
+	return nullptr;
 	%}
 
 function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool
 	%{
 	bool result = analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p);
-	return val_mgr->GetBool(result);
+	return val_mgr->Bool(result);
 	%}
 
 function Analyzer::__schedule_analyzer%(orig: addr, resp: addr, resp_p: port,
 					analyzer: Analyzer::Tag, tout: interval%) : bool
 	%{
 	analyzer_mgr->ScheduleAnalyzer(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout);
-	return val_mgr->GetTrue();
+	return val_mgr->True();
 	%}
 
 function __name%(atype: Analyzer::Tag%) : string
 	%{
-	return new StringVal(analyzer_mgr->GetComponentName(atype));
+	return make_intrusive<StringVal>(analyzer_mgr->GetComponentName(atype));
 	%}
 
 function __tag%(name: string%) : Analyzer::Tag
 	%{
 	analyzer::Tag t = analyzer_mgr->GetComponentTag(name->CheckString());
-	return t.AsEnumVal()->Ref();
+	return IntrusivePtr{NewRef{}, t.AsEnumVal()};
 	%}

src/analyzer/protocol/asn1/asn1.pac

@@ -113,15 +113,15 @@ Val* asn1_integer_to_val(const ASN1Encoding* i, TypeTag t)
 
 	switch ( t ) {
 	case TYPE_BOOL:
-		return val_mgr->GetBool(v);
+		return val_mgr->Bool(v)->Ref();
 	case TYPE_INT:
-		return val_mgr->GetInt(v);
+		return val_mgr->Int(v).release();
 	case TYPE_COUNT:
 	case TYPE_COUNTER:
-		return val_mgr->GetCount(v);
+		return val_mgr->Count(v).release();
 	default:
 		reporter->Error("bad asn1_integer_to_val tag: %s", type_name(t));
-		return val_mgr->GetCount(v);
+		return val_mgr->Count(v).release();
 	}
 	}
 
@@ -152,7 +152,7 @@ StringVal* asn1_oid_to_val(const ASN1Encoding* oid)
 
 	if ( ! subidentifier.empty() || subidentifiers.size() < 1 )
 		// Underflow.
-		return val_mgr->GetEmptyString();
+		return val_mgr->EmptyString()->Ref()->AsStringVal();
 
 	for ( size_t i = 0; i < subidentifiers.size(); ++i )
 		{

src/analyzer/protocol/bittorrent/BitTorrent.cc

@@ -120,8 +120,8 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
 	{
 	if ( bittorrent_peer_weird )
 		EnqueueConnEvent(bittorrent_peer_weird,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			make_intrusive<StringVal>(msg)
 		);
 	}

src/analyzer/protocol/bittorrent/BitTorrentTracker.cc

@@ -247,8 +247,8 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
 	{
 	if ( bt_tracker_weird )
 		EnqueueConnEvent(bt_tracker_weird,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			make_intrusive<StringVal>(msg)
 		);
 	}
@@ -348,7 +348,7 @@ void BitTorrentTracker_Analyzer::EmitRequest(void)
 
 	if ( bt_tracker_request )
 		EnqueueConnEvent(bt_tracker_request,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			IntrusivePtr{AdoptRef{}, req_val_uri},
 			IntrusivePtr{AdoptRef{}, req_val_headers}
 		);
@@ -402,8 +402,8 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
 				{
 				if ( bt_tracker_response_not_ok )
 					EnqueueConnEvent(bt_tracker_response_not_ok,
-						IntrusivePtr{AdoptRef{}, BuildConnVal()},
+						ConnVal(),
-						IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
+						val_mgr->Count(res_status),
 						IntrusivePtr{AdoptRef{}, res_val_headers}
 					);
 				res_val_headers = nullptr;
@@ -480,7 +480,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
 
 			RecordVal* peer = new RecordVal(bittorrent_peer);
 			peer->Assign(0, make_intrusive<AddrVal>(ad));
-			peer->Assign(1, val_mgr->GetPort(pt, TRANSPORT_TCP));
+			peer->Assign(1, val_mgr->Port(pt, TRANSPORT_TCP));
 			res_val_peers->Assign(peer, nullptr);
 
 			Unref(peer);
@@ -503,7 +503,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
 	RecordVal* benc_value = new RecordVal(bittorrent_benc_value);
 	StringVal* name_ = new StringVal(name_len, name);
 
-	benc_value->Assign(type, val_mgr->GetInt(value));
+	benc_value->Assign(type, val_mgr->Int(value));
 	res_val_benc->Assign(name_, benc_value);
 
 	Unref(name_);
@@ -789,8 +789,8 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
 
 	if ( bt_tracker_response )
 		EnqueueConnEvent(bt_tracker_response,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
+			val_mgr->Count(res_status),
 			IntrusivePtr{AdoptRef{}, res_val_headers},
 			IntrusivePtr{AdoptRef{}, res_val_peers},
 			IntrusivePtr{AdoptRef{}, res_val_benc}

src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac

@@ -61,13 +61,13 @@ flow BitTorrent_Flow(is_orig: bool) {
 		handshake_ok = true;
 		if ( ::bittorrent_peer_handshake )
 			{
-			BifEvent::generate_bittorrent_peer_handshake(
+			BifEvent::enqueue_bittorrent_peer_handshake(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
-				bytestring_to_val(reserved),
+				to_stringval(reserved),
-				bytestring_to_val(info_hash),
+				to_stringval(info_hash),
-				bytestring_to_val(peer_id));
+				to_stringval(peer_id));
 			}
 
 		connection()->bro_analyzer()->ProtocolConfirmation();
@@ -79,7 +79,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_keep_alive )
 			{
-			BifEvent::generate_bittorrent_peer_keep_alive(
+			BifEvent::enqueue_bittorrent_peer_keep_alive(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -92,7 +92,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_choke )
 			{
-			BifEvent::generate_bittorrent_peer_choke(
+			BifEvent::enqueue_bittorrent_peer_choke(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -105,7 +105,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_unchoke )
 			{
-			BifEvent::generate_bittorrent_peer_unchoke(
+			BifEvent::enqueue_bittorrent_peer_unchoke(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -118,7 +118,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_interested )
 			{
-			BifEvent::generate_bittorrent_peer_interested(
+			BifEvent::enqueue_bittorrent_peer_interested(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -131,7 +131,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_not_interested )
 			{
-			BifEvent::generate_bittorrent_peer_not_interested(
+			BifEvent::enqueue_bittorrent_peer_not_interested(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -144,7 +144,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_have )
 			{
-			BifEvent::generate_bittorrent_peer_have(
+			BifEvent::enqueue_bittorrent_peer_have(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -158,11 +158,11 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_bitfield )
 			{
-			BifEvent::generate_bittorrent_peer_bitfield(
+			BifEvent::enqueue_bittorrent_peer_bitfield(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
-				bytestring_to_val(bitfield));
+				to_stringval(bitfield));
 			}
 
 		return true;
@@ -173,7 +173,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_request )
 			{
-			BifEvent::generate_bittorrent_peer_request(
+			BifEvent::enqueue_bittorrent_peer_request(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -188,7 +188,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_piece )
 			{
-			BifEvent::generate_bittorrent_peer_piece(
+			BifEvent::enqueue_bittorrent_peer_piece(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -203,7 +203,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_cancel )
 			{
-			BifEvent::generate_bittorrent_peer_cancel(
+			BifEvent::enqueue_bittorrent_peer_cancel(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -217,11 +217,11 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_port )
 			{
-			BifEvent::generate_bittorrent_peer_port(
+			BifEvent::enqueue_bittorrent_peer_port(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
-				val_mgr->GetPort(listen_port, TRANSPORT_TCP));
+				val_mgr->Port(listen_port, TRANSPORT_TCP));
 			}
 
 		return true;
@@ -231,12 +231,12 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_unknown )
 			{
-			BifEvent::generate_bittorrent_peer_unknown(
+			BifEvent::enqueue_bittorrent_peer_unknown(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
 				id,
-				bytestring_to_val(data));
+				to_stringval(data));
 			}
 
 		return true;

src/analyzer/protocol/conn-size/ConnSize.cc

@@ -51,9 +51,9 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
 		return;
 
 	EnqueueConnEvent(f,
-		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		ConnVal(),
-		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)},
+		val_mgr->Count(threshold),
-		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+		val_mgr->Bool(is_orig)
 	);
 	}
 
@@ -93,9 +93,9 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
 		if ( ( network_time - start_time ) > duration_thresh && conn_duration_threshold_crossed )
 			{
 			EnqueueConnEvent(conn_duration_threshold_crossed,
-					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					ConnVal(),
 					make_intrusive<Val>(duration_thresh, TYPE_INTERVAL),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+					val_mgr->Bool(is_orig)
 			);
 			duration_thresh = 0;
 			}
@@ -183,10 +183,10 @@ void ConnSize_Analyzer::UpdateConnVal(RecordVal *conn_val)
 	if ( bytesidx < 0 )
 		reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field");
 
-	orig_endp->Assign(pktidx, val_mgr->GetCount(orig_pkts));
+	orig_endp->Assign(pktidx, val_mgr->Count(orig_pkts));
-	orig_endp->Assign(bytesidx, val_mgr->GetCount(orig_bytes));
+	orig_endp->Assign(bytesidx, val_mgr->Count(orig_bytes));
-	resp_endp->Assign(pktidx, val_mgr->GetCount(resp_pkts));
+	resp_endp->Assign(pktidx, val_mgr->Count(resp_pkts));
-	resp_endp->Assign(bytesidx, val_mgr->GetCount(resp_bytes));
+	resp_endp->Assign(bytesidx, val_mgr->Count(resp_bytes));
 
 	Analyzer::UpdateConnVal(conn_val);
 	}

src/analyzer/protocol/conn-size/functions.bif

@@ -35,11 +35,11 @@ function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_or
 	%{
 	analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
 	if ( ! a )
-		return val_mgr->GetFalse();
+		return val_mgr->False();
 
 	static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig);
 
-	return val_mgr->GetTrue();
+	return val_mgr->True();
 	%}
 
 ## Sets a threshold for connection packets, overwtiting any potential old thresholds.
@@ -59,11 +59,11 @@ function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_
 	%{
 	analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
 	if ( ! a )
-		return val_mgr->GetFalse();
+		return val_mgr->False();
 
 	static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, false, is_orig);
 
-	return val_mgr->GetTrue();
+	return val_mgr->True();
 	%}
 
 ## Sets the current duration threshold for connection, overwriting any potential old
@@ -81,11 +81,11 @@ function set_current_conn_duration_threshold%(cid: conn_id, threshold: interval%
 	%{
 	analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
 	if ( ! a )
-		return val_mgr->GetFalse();
+		return val_mgr->False();
 
 	static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetDurationThreshold(threshold);
 
-	return val_mgr->GetTrue();
+	return val_mgr->True();
 	%}
 
 # Gets the current byte threshold size for a connection.
@@ -103,9 +103,9 @@ function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
 	%{
 	analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
 	if ( ! a )
-		return val_mgr->GetCount(0);
+		return val_mgr->Count(0);
 
-	return val_mgr->GetCount(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig));
+	return val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig));
 	%}
 
 ## Gets the current packet threshold size for a connection.
@@ -122,9 +122,9 @@ function get_current_conn_packets_threshold%(cid: conn_id, is_orig: bool%): coun
 	%{
 	analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
 	if ( ! a )
-		return val_mgr->GetCount(0);
+		return val_mgr->Count(0);
 
-	return val_mgr->GetCount(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig));
+	return val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig));
 	%}
 
 ## Gets the current duration threshold size for a connection.
@@ -139,7 +139,7 @@ function get_current_conn_duration_threshold%(cid: conn_id%): interval
 	%{
 	analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
 	if ( ! a )
-		return new Val(0.0, TYPE_INTERVAL);
+		return make_intrusive<Val>(0.0, TYPE_INTERVAL);
 
-	return new Val(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetDurationThreshold(), TYPE_INTERVAL);
+	return make_intrusive<Val>(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetDurationThreshold(), TYPE_INTERVAL);
 	%}

src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac

@@ -37,12 +37,12 @@ refine connection DCE_RPC_Conn += {
 		%{
 		if ( dce_rpc_message )
 			{
-			BifEvent::generate_dce_rpc_message(bro_analyzer(),
+			BifEvent::enqueue_dce_rpc_message(bro_analyzer(),
 			                                  bro_analyzer()->Conn(),
 			                                  ${header.is_orig},
 			                                  fid,
 			                                  ${header.PTYPE},
-			                                   BifType::Enum::DCE_RPC::PType->GetVal(${header.PTYPE}).release());
+			                                  BifType::Enum::DCE_RPC::PType->GetVal(${header.PTYPE}));
 			}
 		return true;
 		%}
@@ -51,11 +51,11 @@ refine connection DCE_RPC_Conn += {
 		%{
 		if ( dce_rpc_bind )
 			{
-			BifEvent::generate_dce_rpc_bind(bro_analyzer(),
+			BifEvent::enqueue_dce_rpc_bind(bro_analyzer(),
 			                               bro_analyzer()->Conn(),
 			                               fid,
 			                               ${req.id},
-			                                bytestring_to_val(${req.abstract_syntax.uuid}),
+			                               to_stringval(${req.abstract_syntax.uuid}),
 			                               ${req.abstract_syntax.ver_major},
 			                               ${req.abstract_syntax.ver_minor});
 			}
@@ -67,11 +67,11 @@ refine connection DCE_RPC_Conn += {
 		%{
 		if ( dce_rpc_alter_context )
 			{
-			BifEvent::generate_dce_rpc_alter_context(bro_analyzer(),
+			BifEvent::enqueue_dce_rpc_alter_context(bro_analyzer(),
 			                                        bro_analyzer()->Conn(),
 			                                        fid,
 			                                        ${req.id},
-			                                         bytestring_to_val(${req.abstract_syntax.uuid}),
+			                                        to_stringval(${req.abstract_syntax.uuid}),
 			                                        ${req.abstract_syntax.ver_major},
 			                                        ${req.abstract_syntax.ver_minor});
 			}
@@ -83,22 +83,19 @@ refine connection DCE_RPC_Conn += {
 		%{
 		if ( dce_rpc_bind_ack )
 			{
-			StringVal *sec_addr;
+			IntrusivePtr<StringVal> sec_addr;
+
 			// Remove the null from the end of the string if it's there.
 			if ( ${bind.sec_addr}.length() > 0 &&
 			     *(${bind.sec_addr}.begin() + ${bind.sec_addr}.length()) == 0 )
-				{
+				sec_addr = make_intrusive<StringVal>(${bind.sec_addr}.length()-1, (const char*) ${bind.sec_addr}.begin());
-				sec_addr = new StringVal(${bind.sec_addr}.length()-1, (const char*) ${bind.sec_addr}.begin());
-				}
 			else
-				{
+				sec_addr = make_intrusive<StringVal>(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin());
-				sec_addr = new StringVal(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin());
-				}
 
-			BifEvent::generate_dce_rpc_bind_ack(bro_analyzer(),
+			BifEvent::enqueue_dce_rpc_bind_ack(bro_analyzer(),
 			                                   bro_analyzer()->Conn(),
 			                                   fid,
-			                                    sec_addr);
+			                                   std::move(sec_addr));
 			}
 		return true;
 		%}
@@ -107,7 +104,7 @@ refine connection DCE_RPC_Conn += {
 		%{
 		if ( dce_rpc_alter_context_resp )
 			{
-			BifEvent::generate_dce_rpc_alter_context_resp(bro_analyzer(),
+			BifEvent::enqueue_dce_rpc_alter_context_resp(bro_analyzer(),
 			                                             bro_analyzer()->Conn(),
 			                                             fid);
 			}
@@ -118,7 +115,7 @@ refine connection DCE_RPC_Conn += {
 		%{
 		if ( dce_rpc_request )
 			{
-			BifEvent::generate_dce_rpc_request(bro_analyzer(),
+			BifEvent::enqueue_dce_rpc_request(bro_analyzer(),
 			                                  bro_analyzer()->Conn(),
 			                                  fid,
 			                                  ${req.context_id},
@@ -135,7 +132,7 @@ refine connection DCE_RPC_Conn += {
 		%{
 		if ( dce_rpc_response )
 			{
-			BifEvent::generate_dce_rpc_response(bro_analyzer(),
+			BifEvent::enqueue_dce_rpc_response(bro_analyzer(),
 			                                   bro_analyzer()->Conn(),
 			                                   fid,
 			                                   ${resp.context_id},

src/analyzer/protocol/dhcp/dhcp-analyzer.pac

@@ -1,8 +1,8 @@
 
 refine flow DHCP_Flow += {
 	%member{
-		RecordVal* options;
+		IntrusivePtr<RecordVal> options;
-		VectorVal* all_options;
+		IntrusivePtr<VectorVal> all_options;
 	%}
 
 	%init{
@@ -11,10 +11,7 @@ refine flow DHCP_Flow += {
 	%}
 
 	%cleanup{
-		Unref(options);
 		options = nullptr;
-
-		Unref(all_options);
 		all_options = nullptr;
 	%}
 
@@ -22,9 +19,9 @@ refine flow DHCP_Flow += {
 		%{
 		if ( ! options )
 			{
-			options = new RecordVal(BifType::Record::DHCP::Options);
+			options = make_intrusive<RecordVal>(BifType::Record::DHCP::Options);
-			all_options = new VectorVal(index_vec);
+			all_options = make_intrusive<VectorVal>(index_vec);
-			options->Assign(0, all_options->Ref());
+			options->Assign(0, all_options);
 			}
 
 		return true;
@@ -35,8 +32,7 @@ refine flow DHCP_Flow += {
 		init_options();
 
 		if ( code != 255 )
-			all_options->Assign(all_options->Size(),
+			all_options->Assign(all_options->Size(), val_mgr->Count(code));
-			                    val_mgr->GetCount(code));
 
 		return true;
 		%}
@@ -57,12 +53,12 @@ refine flow DHCP_Flow += {
 			std::string mac_str = fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length());
 			double secs = static_cast<double>(${msg.secs});
 
-			auto dhcp_msg_val = new RecordVal(BifType::Record::DHCP::Msg);
+			auto dhcp_msg_val = make_intrusive<RecordVal>(BifType::Record::DHCP::Msg);
-			dhcp_msg_val->Assign(0, val_mgr->GetCount(${msg.op}));
+			dhcp_msg_val->Assign(0, val_mgr->Count(${msg.op}));
-			dhcp_msg_val->Assign(1, val_mgr->GetCount(${msg.type}));
+			dhcp_msg_val->Assign(1, val_mgr->Count(${msg.type}));
-			dhcp_msg_val->Assign(2, val_mgr->GetCount(${msg.xid}));
+			dhcp_msg_val->Assign(2, val_mgr->Count(${msg.xid}));
 			dhcp_msg_val->Assign(3, make_intrusive<Val>(secs, TYPE_INTERVAL));
-			dhcp_msg_val->Assign(4, val_mgr->GetCount(${msg.flags}));
+			dhcp_msg_val->Assign(4, val_mgr->Count(${msg.flags}));
 			dhcp_msg_val->Assign(5, make_intrusive<AddrVal>(htonl(${msg.ciaddr})));
 			dhcp_msg_val->Assign(6, make_intrusive<AddrVal>(htonl(${msg.yiaddr})));
 			dhcp_msg_val->Assign(7, make_intrusive<AddrVal>(htonl(${msg.siaddr})));
@@ -95,14 +91,13 @@ refine flow DHCP_Flow += {
 
 			init_options();
 
-			BifEvent::generate_dhcp_message(connection()->bro_analyzer(),
+			BifEvent::enqueue_dhcp_message(connection()->bro_analyzer(),
 			                               connection()->bro_analyzer()->Conn(),
 			                               ${msg.is_orig},
-			                                dhcp_msg_val,
+			                               std::move(dhcp_msg_val),
-			                                options);
+			                               std::move(options));
 
 			options = nullptr;
-			Unref(all_options);
 			all_options = nullptr;
 			}
 

src/analyzer/protocol/dhcp/dhcp-options.pac

@@ -34,7 +34,7 @@ refine casetype OptionValue += {
 refine flow DHCP_Flow += {
 	function process_time_offset_option(v: OptionValue): bool
 		%{
-		${context.flow}->options->Assign(25, val_mgr->GetInt(${v.time_offset}));
+		${context.flow}->options->Assign(25, val_mgr->Int(${v.time_offset}));
 		return true;
 		%}
 };
@@ -250,7 +250,7 @@ refine casetype OptionValue += {
 refine flow DHCP_Flow += {
 	function process_forwarding_option(v: OptionValue): bool
 		%{
-		${context.flow}->options->Assign(6, val_mgr->GetBool(${v.forwarding} == 0 ? false : true));
+		${context.flow}->options->Assign(6, val_mgr->Bool(${v.forwarding} == 0 ? false : true));
 
 		return true;
 		%}
@@ -469,7 +469,7 @@ refine flow DHCP_Flow += {
 		for ( int i = 0; i < num_parms; ++i )
 			{
 			uint8 param = (*plist)[i];
-			params->Assign(i, val_mgr->GetCount(param));
+			params->Assign(i, val_mgr->Count(param));
 			}
 
 		${context.flow}->options->Assign(13, params);
@@ -521,7 +521,7 @@ refine casetype OptionValue += {
 refine flow DHCP_Flow += {
 	function process_max_message_size_option(v: OptionValue): bool
 		%{
-		${context.flow}->options->Assign(15, val_mgr->GetCount(${v.max_msg_size}));
+		${context.flow}->options->Assign(15, val_mgr->Count(${v.max_msg_size}));
 
 		return true;
 		%}
@@ -626,7 +626,7 @@ refine flow DHCP_Flow += {
 	function process_client_id_option(v: OptionValue): bool
 		%{
 		RecordVal* client_id = new RecordVal(BifType::Record::DHCP::ClientID);
-		client_id->Assign(0, val_mgr->GetCount(${v.client_id.hwtype}));
+		client_id->Assign(0, val_mgr->Count(${v.client_id.hwtype}));
 		client_id->Assign(1, make_intrusive<StringVal>(fmt_mac(${v.client_id.hwaddr}.begin(), ${v.client_id.hwaddr}.length())));
 
 		${context.flow}->options->Assign(19, client_id);
@@ -686,9 +686,9 @@ refine flow DHCP_Flow += {
 	function process_client_fqdn_option(v: OptionValue): bool
 		%{
 		RecordVal* client_fqdn = new RecordVal(BifType::Record::DHCP::ClientFQDN);
-		client_fqdn->Assign(0, val_mgr->GetCount(${v.client_fqdn.flags}));
+		client_fqdn->Assign(0, val_mgr->Count(${v.client_fqdn.flags}));
-		client_fqdn->Assign(1, val_mgr->GetCount(${v.client_fqdn.rcode1}));
+		client_fqdn->Assign(1, val_mgr->Count(${v.client_fqdn.rcode1}));
-		client_fqdn->Assign(2, val_mgr->GetCount(${v.client_fqdn.rcode2}));
+		client_fqdn->Assign(2, val_mgr->Count(${v.client_fqdn.rcode2}));
 		const char* domain_name = reinterpret_cast<const char*>(${v.client_fqdn.domain_name}.begin());
 		client_fqdn->Assign(3, make_intrusive<StringVal>(${v.client_fqdn.domain_name}.length(), domain_name));
 
@@ -751,8 +751,8 @@ refine flow DHCP_Flow += {
 		      ptrsubopt != ${v.relay_agent_inf}->end(); ++ptrsubopt )
 			{
 			auto r = new RecordVal(BifType::Record::DHCP::SubOpt);
-			r->Assign(0, val_mgr->GetCount((*ptrsubopt)->code()));
+			r->Assign(0, val_mgr->Count((*ptrsubopt)->code()));
-			r->Assign(1, bytestring_to_val((*ptrsubopt)->value()));
+			r->Assign(1, to_stringval((*ptrsubopt)->value()));
 
 			relay_agent_sub_opt->Assign(i, r);
 			++i;
@@ -781,7 +781,7 @@ refine casetype OptionValue += {
 refine flow DHCP_Flow += {
 	function process_auto_config_option(v: OptionValue): bool
 		%{
-		${context.flow}->options->Assign(23, val_mgr->GetBool(${v.auto_config} == 0 ? false : true));
+		${context.flow}->options->Assign(23, val_mgr->Bool(${v.auto_config} == 0 ? false : true));
 
 		return true;
 		%}

src/analyzer/protocol/dnp3/dnp3-analyzer.pac

@@ -29,7 +29,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_header_block )
 			{
-			BifEvent::generate_dnp3_header_block(
+			BifEvent::enqueue_dnp3_header_block(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), len, ctrl, dest_addr, src_addr);
@@ -42,7 +42,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_application_request_header )
 			{
-			BifEvent::generate_dnp3_application_request_header(
+			BifEvent::enqueue_dnp3_application_request_header(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -57,7 +57,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_application_response_header )
 			{
-			BifEvent::generate_dnp3_application_response_header(
+			BifEvent::enqueue_dnp3_application_response_header(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -73,7 +73,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_object_header )
 			{
-			BifEvent::generate_dnp3_object_header(
+			BifEvent::enqueue_dnp3_object_header(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), obj_type, qua_field, number, rf_low, rf_high);
@@ -86,7 +86,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_object_prefix )
 			{
-			BifEvent::generate_dnp3_object_prefix(
+			BifEvent::enqueue_dnp3_object_prefix(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), prefix_value);
@@ -99,7 +99,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_response_data_object )
 			{
-			BifEvent::generate_dnp3_response_data_object(
+			BifEvent::enqueue_dnp3_response_data_object(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), data_value);
@@ -113,10 +113,10 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_attribute_common )
 			{
-			BifEvent::generate_dnp3_attribute_common(
+			BifEvent::enqueue_dnp3_attribute_common(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), data_type_code, leng, bytestring_to_val(attribute_obj) );
+				is_orig(), data_type_code, leng, to_stringval(attribute_obj) );
 			}
 
 		return true;
@@ -127,7 +127,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_crob )
 			{
-			BifEvent::generate_dnp3_crob(
+			BifEvent::enqueue_dnp3_crob(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), control_code, count8, on_time, off_time, status_code);
@@ -141,7 +141,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_pcb )
 			{
-			BifEvent::generate_dnp3_pcb(
+			BifEvent::enqueue_dnp3_pcb(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), control_code, count8, on_time, off_time, status_code);
@@ -155,7 +155,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_counter_32wFlag )
 			{
-			BifEvent::generate_dnp3_counter_32wFlag(
+			BifEvent::enqueue_dnp3_counter_32wFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, count_value);
@@ -169,7 +169,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_counter_16wFlag )
 			{
-			BifEvent::generate_dnp3_counter_16wFlag(
+			BifEvent::enqueue_dnp3_counter_16wFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, count_value);
@@ -183,7 +183,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_counter_32woFlag )
 			{
-			BifEvent::generate_dnp3_counter_32woFlag(
+			BifEvent::enqueue_dnp3_counter_32woFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), count_value);
@@ -197,7 +197,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_counter_16woFlag )
 			{
-			BifEvent::generate_dnp3_counter_16woFlag(
+			BifEvent::enqueue_dnp3_counter_16woFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), count_value);
@@ -211,7 +211,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_counter_32wFlag )
 			{
-			BifEvent::generate_dnp3_frozen_counter_32wFlag(
+			BifEvent::enqueue_dnp3_frozen_counter_32wFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, count_value);
@@ -225,7 +225,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_counter_16wFlag )
 			{
-			BifEvent::generate_dnp3_frozen_counter_16wFlag(
+			BifEvent::enqueue_dnp3_frozen_counter_16wFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, count_value);
@@ -239,7 +239,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_counter_32wFlagTime )
 			{
-			BifEvent::generate_dnp3_frozen_counter_32wFlagTime(
+			BifEvent::enqueue_dnp3_frozen_counter_32wFlagTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, count_value, bytestring_to_time(time48));
@@ -253,7 +253,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_counter_16wFlagTime )
 			{
-			BifEvent::generate_dnp3_frozen_counter_16wFlagTime(
+			BifEvent::enqueue_dnp3_frozen_counter_16wFlagTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, count_value, bytestring_to_time(time48));
@@ -267,7 +267,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_counter_32woFlag )
 			{
-			BifEvent::generate_dnp3_frozen_counter_32woFlag(
+			BifEvent::enqueue_dnp3_frozen_counter_32woFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), count_value);
@@ -281,7 +281,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_counter_16woFlag )
 			{
-			BifEvent::generate_dnp3_frozen_counter_16woFlag(
+			BifEvent::enqueue_dnp3_frozen_counter_16woFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), count_value);
@@ -295,7 +295,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_32wFlag )
 			{
-			BifEvent::generate_dnp3_analog_input_32wFlag(
+			BifEvent::enqueue_dnp3_analog_input_32wFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, value);
@@ -309,7 +309,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_16wFlag )
 			{
-			BifEvent::generate_dnp3_analog_input_16wFlag(
+			BifEvent::enqueue_dnp3_analog_input_16wFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, value);
@@ -323,7 +323,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_32woFlag )
 			{
-			BifEvent::generate_dnp3_analog_input_32woFlag(
+			BifEvent::enqueue_dnp3_analog_input_32woFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), value);
@@ -337,7 +337,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_16woFlag )
 			{
-			BifEvent::generate_dnp3_analog_input_16woFlag(
+			BifEvent::enqueue_dnp3_analog_input_16woFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), value);
@@ -351,7 +351,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_SPwFlag )
 			{
-			BifEvent::generate_dnp3_analog_input_SPwFlag(
+			BifEvent::enqueue_dnp3_analog_input_SPwFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, value);
@@ -365,7 +365,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_DPwFlag )
 			{
-			BifEvent::generate_dnp3_analog_input_DPwFlag(
+			BifEvent::enqueue_dnp3_analog_input_DPwFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, value_low, value_high);
@@ -379,7 +379,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_32wFlag )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_32wFlag(
+			BifEvent::enqueue_dnp3_frozen_analog_input_32wFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value);
@@ -393,7 +393,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_16wFlag )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_16wFlag(
+			BifEvent::enqueue_dnp3_frozen_analog_input_16wFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value);
@@ -407,7 +407,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_32wTime )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_32wTime(
+			BifEvent::enqueue_dnp3_frozen_analog_input_32wTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value, bytestring_to_time(time48));
@@ -421,7 +421,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_16wTime )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_16wTime(
+			BifEvent::enqueue_dnp3_frozen_analog_input_16wTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value, bytestring_to_time(time48));
@@ -435,7 +435,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_32woFlag )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_32woFlag(
+			BifEvent::enqueue_dnp3_frozen_analog_input_32woFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), frozen_value);
@@ -449,7 +449,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_16woFlag )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_16woFlag(
+			BifEvent::enqueue_dnp3_frozen_analog_input_16woFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), frozen_value);
@@ -463,7 +463,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_SPwFlag )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_SPwFlag(
+			BifEvent::enqueue_dnp3_frozen_analog_input_SPwFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value);
@@ -477,7 +477,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_DPwFlag )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_DPwFlag(
+			BifEvent::enqueue_dnp3_frozen_analog_input_DPwFlag(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value_low, frozen_value_high);
@@ -491,7 +491,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_event_32woTime )
 			{
-			BifEvent::generate_dnp3_analog_input_event_32woTime(
+			BifEvent::enqueue_dnp3_analog_input_event_32woTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, value);
@@ -505,7 +505,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_event_16woTime )
 			{
-			BifEvent::generate_dnp3_analog_input_event_16woTime(
+			BifEvent::enqueue_dnp3_analog_input_event_16woTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, value);
@@ -519,7 +519,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_event_32wTime )
 			{
-			BifEvent::generate_dnp3_analog_input_event_32wTime(
+			BifEvent::enqueue_dnp3_analog_input_event_32wTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, value, bytestring_to_time(time48));
@@ -533,7 +533,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_event_16wTime )
 			{
-			BifEvent::generate_dnp3_analog_input_event_16wTime(
+			BifEvent::enqueue_dnp3_analog_input_event_16wTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, value, bytestring_to_time(time48));
@@ -547,7 +547,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_event_SPwoTime )
 			{
-			BifEvent::generate_dnp3_analog_input_event_SPwoTime(
+			BifEvent::enqueue_dnp3_analog_input_event_SPwoTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, value);
@@ -561,7 +561,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_event_DPwoTime )
 			{
-			BifEvent::generate_dnp3_analog_input_event_DPwoTime(
+			BifEvent::enqueue_dnp3_analog_input_event_DPwoTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, value_low, value_high);
@@ -575,7 +575,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_event_SPwTime )
 			{
-			BifEvent::generate_dnp3_analog_input_event_SPwTime(
+			BifEvent::enqueue_dnp3_analog_input_event_SPwTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, value, bytestring_to_time(time48));
@@ -589,7 +589,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_analog_input_event_DPwTime )
 			{
-			BifEvent::generate_dnp3_analog_input_event_DPwTime(
+			BifEvent::enqueue_dnp3_analog_input_event_DPwTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, value_low, value_high, bytestring_to_time(time48));
@@ -603,7 +603,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_event_32woTime )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_event_32woTime(
+			BifEvent::enqueue_dnp3_frozen_analog_input_event_32woTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value);
@@ -617,7 +617,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_event_16woTime )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_event_16woTime(
+			BifEvent::enqueue_dnp3_frozen_analog_input_event_16woTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value);
@@ -631,7 +631,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_event_32wTime )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_event_32wTime(
+			BifEvent::enqueue_dnp3_frozen_analog_input_event_32wTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value, bytestring_to_time(time48));
@@ -645,7 +645,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_event_16wTime )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_event_16wTime(
+			BifEvent::enqueue_dnp3_frozen_analog_input_event_16wTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value, bytestring_to_time(time48));
@@ -659,7 +659,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_event_SPwoTime )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_event_SPwoTime(
+			BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwoTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value);
@@ -673,7 +673,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_event_DPwoTime )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_event_DPwoTime(
+			BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwoTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value_low, frozen_value_high);
@@ -687,7 +687,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_event_SPwTime )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_event_SPwTime(
+			BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value, bytestring_to_time(time48));
@@ -701,7 +701,7 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_frozen_analog_input_event_DPwTime )
 			{
-			BifEvent::generate_dnp3_frozen_analog_input_event_DPwTime(
+			BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwTime(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48));
@@ -715,10 +715,10 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_file_transport )
 			{
-			BifEvent::generate_dnp3_file_transport(
+			BifEvent::enqueue_dnp3_file_transport(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), file_handle, block_num, bytestring_to_val(file_data));
+				is_orig(), file_handle, block_num, to_stringval(file_data));
 			}
 
 		return true;
@@ -729,10 +729,10 @@ flow DNP3_Flow(is_orig: bool) {
 		%{
 		if ( ::dnp3_debug_byte )
 			{
-			BifEvent::generate_dnp3_debug_byte (
+			BifEvent::enqueue_dnp3_debug_byte (
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), bytestring_to_val(debug));
+				is_orig(), to_stringval(debug));
 			}
 
 		return true;

src/analyzer/protocol/dns/DNS.cc

@@ -49,10 +49,10 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 
 	if ( dns_message )
 		analyzer->EnqueueConnEvent(dns_message,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
+			val_mgr->Bool(is_query),
 			IntrusivePtr{AdoptRef{}, msg.BuildHdrVal()},
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
+			val_mgr->Count(len)
 		);
 
 	// There is a great deal of non-DNS traffic that runs on port 53.
@@ -134,7 +134,7 @@ void DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
 	{
 	if ( dns_end )
 		analyzer->EnqueueConnEvent(dns_end,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}
 		);
 	}
@@ -337,7 +337,7 @@ bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
 
 			if ( dns_unknown_reply && ! msg->skip_event )
 				analyzer->EnqueueConnEvent(dns_unknown_reply,
-					IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+					analyzer->ConnVal(),
 					IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 					IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}
 				);
@@ -550,7 +550,7 @@ bool DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
 
 	if ( reply_event && ! msg->skip_event )
 		analyzer->EnqueueConnEvent(reply_event,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
 			make_intrusive<StringVal>(new BroString(name, name_end - name, true))
@@ -596,14 +596,14 @@ bool DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
 		auto r = make_intrusive<RecordVal>(dns_soa);
 		r->Assign(0, make_intrusive<StringVal>(new BroString(mname, mname_end - mname, true)));
 		r->Assign(1, make_intrusive<StringVal>(new BroString(rname, rname_end - rname, true)));
-		r->Assign(2, val_mgr->GetCount(serial));
+		r->Assign(2, val_mgr->Count(serial));
 		r->Assign(3, make_intrusive<IntervalVal>(double(refresh), Seconds));
 		r->Assign(4, make_intrusive<IntervalVal>(double(retry), Seconds));
 		r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds));
 		r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds));
 
 		analyzer->EnqueueConnEvent(dns_SOA_reply,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
 			std::move(r)
@@ -633,11 +633,11 @@ bool DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
 
 	if ( dns_MX_reply && ! msg->skip_event )
 		analyzer->EnqueueConnEvent(dns_MX_reply,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
 			make_intrusive<StringVal>(new BroString(name, name_end - name, true)),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(preference)}
+			val_mgr->Count(preference)
 		);
 
 	return true;
@@ -674,13 +674,13 @@ bool DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
 
 	if ( dns_SRV_reply && ! msg->skip_event )
 		analyzer->EnqueueConnEvent(dns_SRV_reply,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
 			make_intrusive<StringVal>(new BroString(name, name_end - name, true)),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(priority)},
+			val_mgr->Count(priority),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(weight)},
+			val_mgr->Count(weight),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)}
+			val_mgr->Count(port)
 		);
 
 	return true;
@@ -695,7 +695,7 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
 
 	if ( dns_EDNS_addl && ! msg->skip_event )
 		analyzer->EnqueueConnEvent(dns_EDNS_addl,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildEDNS_Val()}
 		);
@@ -772,7 +772,7 @@ bool DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
 		tsig.rr_error = rr_error;
 
 		analyzer->EnqueueConnEvent(dns_TSIG_addl,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildTSIG_Val(&tsig)}
 		);
@@ -873,7 +873,7 @@ bool DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
 		rrsig.signature = sign;
 
 		analyzer->EnqueueConnEvent(dns_RRSIG,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildRRSIG_Val(&rrsig)}
@@ -968,7 +968,7 @@ bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
 		dnskey.public_key = key;
 
 		analyzer->EnqueueConnEvent(dns_DNSKEY,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildDNSKEY_Val(&dnskey)}
@@ -1020,7 +1020,7 @@ bool DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
 
 	if ( dns_NSEC )
 		analyzer->EnqueueConnEvent(dns_NSEC,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
 			make_intrusive<StringVal>(new BroString(name, name_end - name, true)),
@@ -1106,7 +1106,7 @@ bool DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
 		nsec3.bitmaps = char_strings;
 
 		analyzer->EnqueueConnEvent(dns_NSEC3,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildNSEC3_Val(&nsec3)}
@@ -1166,7 +1166,7 @@ bool DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
 		ds.digest_val = ds_digest;
 
 		analyzer->EnqueueConnEvent(dns_DS,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildDS_Val(&ds)}
@@ -1189,7 +1189,7 @@ bool DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
 
 	if ( dns_A_reply && ! msg->skip_event )
 		analyzer->EnqueueConnEvent(dns_A_reply,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
 			make_intrusive<AddrVal>(htonl(addr))
@@ -1225,7 +1225,7 @@ bool DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
 
 	if ( event && ! msg->skip_event )
 		analyzer->EnqueueConnEvent(event,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
 			make_intrusive<AddrVal>(addr)
@@ -1299,7 +1299,7 @@ bool DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
 
 	if ( dns_TXT_reply )
 		analyzer->EnqueueConnEvent(dns_TXT_reply,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
 			std::move(char_strings)
@@ -1327,7 +1327,7 @@ bool DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
 
 	if ( dns_SPF_reply )
 		analyzer->EnqueueConnEvent(dns_SPF_reply,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
 			std::move(char_strings)
@@ -1368,10 +1368,10 @@ bool DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
 
 	if ( dns_CAA_reply )
 		analyzer->EnqueueConnEvent(dns_CAA_reply,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags)},
+			val_mgr->Count(flags),
 			make_intrusive<StringVal>(tag),
 			make_intrusive<StringVal>(value)
 		);
@@ -1396,11 +1396,11 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
 	assert(event);
 
 	analyzer->EnqueueConnEvent(event,
-		IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+		analyzer->ConnVal(),
 		IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
 		make_intrusive<StringVal>(question_name),
-		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qtype)},
+		val_mgr->Count(qtype),
-		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qclass)}
+		val_mgr->Count(qclass)
 	);
 	}
 
@@ -1446,19 +1446,19 @@ Val* DNS_MsgInfo::BuildHdrVal()
 	{
 	RecordVal* r = new RecordVal(dns_msg);
 
-	r->Assign(0, val_mgr->GetCount(id));
+	r->Assign(0, val_mgr->Count(id));
-	r->Assign(1, val_mgr->GetCount(opcode));
+	r->Assign(1, val_mgr->Count(opcode));
-	r->Assign(2, val_mgr->GetCount(rcode));
+	r->Assign(2, val_mgr->Count(rcode));
-	r->Assign(3, val_mgr->GetBool(QR));
+	r->Assign(3, val_mgr->Bool(QR));
-	r->Assign(4, val_mgr->GetBool(AA));
+	r->Assign(4, val_mgr->Bool(AA));
-	r->Assign(5, val_mgr->GetBool(TC));
+	r->Assign(5, val_mgr->Bool(TC));
-	r->Assign(6, val_mgr->GetBool(RD));
+	r->Assign(6, val_mgr->Bool(RD));
-	r->Assign(7, val_mgr->GetBool(RA));
+	r->Assign(7, val_mgr->Bool(RA));
-	r->Assign(8, val_mgr->GetCount(Z));
+	r->Assign(8, val_mgr->Count(Z));
-	r->Assign(9, val_mgr->GetCount(qdcount));
+	r->Assign(9, val_mgr->Count(qdcount));
-	r->Assign(10, val_mgr->GetCount(ancount));
+	r->Assign(10, val_mgr->Count(ancount));
-	r->Assign(11, val_mgr->GetCount(nscount));
+	r->Assign(11, val_mgr->Count(nscount));
-	r->Assign(12, val_mgr->GetCount(arcount));
+	r->Assign(12, val_mgr->Count(arcount));
 
 	return r;
 	}
@@ -1468,10 +1468,10 @@ Val* DNS_MsgInfo::BuildAnswerVal()
 	RecordVal* r = new RecordVal(dns_answer);
 
 	Ref(query_name);
-	r->Assign(0, val_mgr->GetCount(int(answer_type)));
+	r->Assign(0, val_mgr->Count(int(answer_type)));
 	r->Assign(1, query_name);
-	r->Assign(2, val_mgr->GetCount(atype));
+	r->Assign(2, val_mgr->Count(atype));
-	r->Assign(3, val_mgr->GetCount(aclass));
+	r->Assign(3, val_mgr->Count(aclass));
 	r->Assign(4, make_intrusive<IntervalVal>(double(ttl), Seconds));
 
 	return r;
@@ -1484,14 +1484,14 @@ Val* DNS_MsgInfo::BuildEDNS_Val()
 	RecordVal* r = new RecordVal(dns_edns_additional);
 
 	Ref(query_name);
-	r->Assign(0, val_mgr->GetCount(int(answer_type)));
+	r->Assign(0, val_mgr->Count(int(answer_type)));
 	r->Assign(1, query_name);
 
 	// type = 0x29 or 41 = EDNS
-	r->Assign(2, val_mgr->GetCount(atype));
+	r->Assign(2, val_mgr->Count(atype));
 
 	// sender's UDP payload size, per RFC 2671 4.3
-	r->Assign(3, val_mgr->GetCount(aclass));
+	r->Assign(3, val_mgr->Count(aclass));
 
 	// Need to break the TTL field into three components:
 	// initial: [------------- ttl (32) ---------------------]
@@ -1504,11 +1504,11 @@ Val* DNS_MsgInfo::BuildEDNS_Val()
 
 	unsigned int return_error = (ercode << 8) | rcode;
 
-	r->Assign(4, val_mgr->GetCount(return_error));
+	r->Assign(4, val_mgr->Count(return_error));
-	r->Assign(5, val_mgr->GetCount(version));
+	r->Assign(5, val_mgr->Count(version));
-	r->Assign(6, val_mgr->GetCount(z));
+	r->Assign(6, val_mgr->Count(z));
 	r->Assign(7, make_intrusive<IntervalVal>(double(ttl), Seconds));
-	r->Assign(8, val_mgr->GetCount(is_query));
+	r->Assign(8, val_mgr->Count(is_query));
 
 	return r;
 	}
@@ -1519,16 +1519,16 @@ Val* DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
 	double rtime = tsig->time_s + tsig->time_ms / 1000.0;
 
 	Ref(query_name);
-	// r->Assign(0, val_mgr->GetCount(int(answer_type)));
+	// r->Assign(0, val_mgr->Count(int(answer_type)));
 	r->Assign(0, query_name);
-	r->Assign(1, val_mgr->GetCount(int(answer_type)));
+	r->Assign(1, val_mgr->Count(int(answer_type)));
 	r->Assign(2, make_intrusive<StringVal>(tsig->alg_name));
 	r->Assign(3, make_intrusive<StringVal>(tsig->sig));
 	r->Assign(4, make_intrusive<Val>(rtime, TYPE_TIME));
 	r->Assign(5, make_intrusive<Val>(double(tsig->fudge), TYPE_TIME));
-	r->Assign(6, val_mgr->GetCount(tsig->orig_id));
+	r->Assign(6, val_mgr->Count(tsig->orig_id));
-	r->Assign(7, val_mgr->GetCount(tsig->rr_error));
+	r->Assign(7, val_mgr->Count(tsig->rr_error));
-	r->Assign(8, val_mgr->GetCount(is_query));
+	r->Assign(8, val_mgr->Count(is_query));
 
 	return r;
 	}
@@ -1539,17 +1539,17 @@ Val* DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig)
 
 	Ref(query_name);
 	r->Assign(0, query_name);
-	r->Assign(1, val_mgr->GetCount(int(answer_type)));
+	r->Assign(1, val_mgr->Count(int(answer_type)));
-	r->Assign(2, val_mgr->GetCount(rrsig->type_covered));
+	r->Assign(2, val_mgr->Count(rrsig->type_covered));
-	r->Assign(3, val_mgr->GetCount(rrsig->algorithm));
+	r->Assign(3, val_mgr->Count(rrsig->algorithm));
-	r->Assign(4, val_mgr->GetCount(rrsig->labels));
+	r->Assign(4, val_mgr->Count(rrsig->labels));
 	r->Assign(5, make_intrusive<IntervalVal>(double(rrsig->orig_ttl), Seconds));
 	r->Assign(6, make_intrusive<Val>(double(rrsig->sig_exp), TYPE_TIME));
 	r->Assign(7, make_intrusive<Val>(double(rrsig->sig_incep), TYPE_TIME));
-	r->Assign(8, val_mgr->GetCount(rrsig->key_tag));
+	r->Assign(8, val_mgr->Count(rrsig->key_tag));
 	r->Assign(9, make_intrusive<StringVal>(rrsig->signer_name));
 	r->Assign(10, make_intrusive<StringVal>(rrsig->signature));
-	r->Assign(11, val_mgr->GetCount(is_query));
+	r->Assign(11, val_mgr->Count(is_query));
 
 	return r;
 	}
@@ -1560,12 +1560,12 @@ Val* DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey)
 
 	Ref(query_name);
 	r->Assign(0, query_name);
-	r->Assign(1, val_mgr->GetCount(int(answer_type)));
+	r->Assign(1, val_mgr->Count(int(answer_type)));
-	r->Assign(2, val_mgr->GetCount(dnskey->dflags));
+	r->Assign(2, val_mgr->Count(dnskey->dflags));
-	r->Assign(3, val_mgr->GetCount(dnskey->dprotocol));
+	r->Assign(3, val_mgr->Count(dnskey->dprotocol));
-	r->Assign(4, val_mgr->GetCount(dnskey->dalgorithm));
+	r->Assign(4, val_mgr->Count(dnskey->dalgorithm));
 	r->Assign(5, make_intrusive<StringVal>(dnskey->public_key));
-	r->Assign(6, val_mgr->GetCount(is_query));
+	r->Assign(6, val_mgr->Count(is_query));
 
 	return r;
 	}
@@ -1576,16 +1576,16 @@ Val* DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
 
 	Ref(query_name);
 	r->Assign(0, query_name);
-	r->Assign(1, val_mgr->GetCount(int(answer_type)));
+	r->Assign(1, val_mgr->Count(int(answer_type)));
-	r->Assign(2, val_mgr->GetCount(nsec3->nsec_flags));
+	r->Assign(2, val_mgr->Count(nsec3->nsec_flags));
-	r->Assign(3, val_mgr->GetCount(nsec3->nsec_hash_algo));
+	r->Assign(3, val_mgr->Count(nsec3->nsec_hash_algo));
-	r->Assign(4, val_mgr->GetCount(nsec3->nsec_iter));
+	r->Assign(4, val_mgr->Count(nsec3->nsec_iter));
-	r->Assign(5, val_mgr->GetCount(nsec3->nsec_salt_len));
+	r->Assign(5, val_mgr->Count(nsec3->nsec_salt_len));
 	r->Assign(6, make_intrusive<StringVal>(nsec3->nsec_salt));
-	r->Assign(7, val_mgr->GetCount(nsec3->nsec_hlen));
+	r->Assign(7, val_mgr->Count(nsec3->nsec_hlen));
 	r->Assign(8, make_intrusive<StringVal>(nsec3->nsec_hash));
 	r->Assign(9, nsec3->bitmaps);
-	r->Assign(10, val_mgr->GetCount(is_query));
+	r->Assign(10, val_mgr->Count(is_query));
 
 	return r;
 	}
@@ -1596,12 +1596,12 @@ Val* DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
 
 	Ref(query_name);
 	r->Assign(0, query_name);
-	r->Assign(1, val_mgr->GetCount(int(answer_type)));
+	r->Assign(1, val_mgr->Count(int(answer_type)));
-	r->Assign(2, val_mgr->GetCount(ds->key_tag));
+	r->Assign(2, val_mgr->Count(ds->key_tag));
-	r->Assign(3, val_mgr->GetCount(ds->algorithm));
+	r->Assign(3, val_mgr->Count(ds->algorithm));
-	r->Assign(4, val_mgr->GetCount(ds->digest_type));
+	r->Assign(4, val_mgr->Count(ds->digest_type));
 	r->Assign(5, make_intrusive<StringVal>(ds->digest_val));
-	r->Assign(6, val_mgr->GetCount(is_query));
+	r->Assign(6, val_mgr->Count(is_query));
 
 	return r;
 	}

src/analyzer/protocol/file/File.cc

@@ -80,7 +80,7 @@ void File_Analyzer::Identify()
 
 	if ( file_transferred )
 		EnqueueConnEvent(file_transferred,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			make_intrusive<StringVal>(buffer_len, buffer),
 			make_intrusive<StringVal>("<unknown>"),
 			make_intrusive<StringVal>(match)

src/analyzer/protocol/finger/Finger.cc

@@ -68,8 +68,8 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 
 		if ( finger_request )
 			EnqueueConnEvent(finger_request,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(long_cnt)},
+				val_mgr->Bool(long_cnt),
 				make_intrusive<StringVal>(at - line, line),
 				make_intrusive<StringVal>(end_of_line - host, host)
 			);
@@ -86,7 +86,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 			return;
 
 		EnqueueConnEvent(finger_reply,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			make_intrusive<StringVal>(end_of_line - line, line)
 		);
 		}

src/analyzer/protocol/ftp/FTP.cc

@@ -97,7 +97,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 			cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
 
 		vl = {
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			IntrusivePtr{AdoptRef{}, cmd_str},
 			make_intrusive<StringVal>(end_of_line - line, line),
 		};
@@ -176,10 +176,10 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 			}
 
 		vl = {
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
+			val_mgr->Count(reply_code),
 			make_intrusive<StringVal>(end_of_line - line, line),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(cont_resp)}
+			val_mgr->Bool(cont_resp)
 		};
 
 		f = ftp_reply;

src/analyzer/protocol/ftp/functions.bif

@@ -4,9 +4,9 @@ type ftp_port: record;
 %%{
 #include "Reporter.h"
 
-static Val* parse_port(const char* line)
+static IntrusivePtr<Val> parse_port(const char* line)
 	{
-	RecordVal* r = new RecordVal(BifType::Record::ftp_port);
+	auto r = make_intrusive<RecordVal>(BifType::Record::ftp_port);
 
 	int bytes[6];
 	if ( line && sscanf(line, "%d,%d,%d,%d,%d,%d",
@@ -34,22 +34,22 @@ static Val* parse_port(const char* line)
 			}
 
 		r->Assign(0, make_intrusive<AddrVal>(htonl(addr)));
-		r->Assign(1, val_mgr->GetPort(port, TRANSPORT_TCP));
+		r->Assign(1, val_mgr->Port(port, TRANSPORT_TCP));
-		r->Assign(2, val_mgr->GetBool(good));
+		r->Assign(2, val_mgr->Bool(good));
 		}
 	else
 		{
 		r->Assign(0, make_intrusive<AddrVal>(uint32_t(0)));
-		r->Assign(1, val_mgr->GetPort(0, TRANSPORT_TCP));
+		r->Assign(1, val_mgr->Port(0, TRANSPORT_TCP));
-		r->Assign(2, val_mgr->GetFalse());
+		r->Assign(2, val_mgr->False());
 		}
 
 	return r;
 	}
 
-static Val* parse_eftp(const char* line)
+static IntrusivePtr<Val> parse_eftp(const char* line)
 	{
-	RecordVal* r = new RecordVal(BifType::Record::ftp_port);
+	auto r = make_intrusive<RecordVal>(BifType::Record::ftp_port);
 
 	int net_proto = 0;	// currently not used
 	IPAddr addr;	// unspecified IPv6 address (all 128 bits zero)
@@ -110,8 +110,8 @@ static Val* parse_eftp(const char* line)
 		}
 
 	r->Assign(0, make_intrusive<AddrVal>(addr));
-	r->Assign(1, val_mgr->GetPort(port, TRANSPORT_TCP));
+	r->Assign(1, val_mgr->Port(port, TRANSPORT_TCP));
-	r->Assign(2, val_mgr->GetBool(good));
+	r->Assign(2, val_mgr->Bool(good));
 
 	return r;
 	}
@@ -206,7 +206,7 @@ function fmt_ftp_port%(a: addr, p: port%): string
 		{
 		uint32_t a = ntohl(addr[0]);
 		uint32_t pn = p->Port();
-		return new StringVal(fmt("%d,%d,%d,%d,%d,%d",
+		return make_intrusive<StringVal>(fmt("%d,%d,%d,%d,%d,%d",
 						a >> 24, (a >> 16) & 0xff,
 						(a >> 8) & 0xff, a & 0xff,
 						pn >> 8, pn & 0xff));
@@ -215,6 +215,6 @@ function fmt_ftp_port%(a: addr, p: port%): string
 		{
 		builtin_error("conversion of non-IPv4 address in fmt_ftp_port",
 		              @ARG@[0]);
-		return val_mgr->GetEmptyString();
+		return val_mgr->EmptyString();
 		}
 	%}

src/analyzer/protocol/gnutella/Gnutella.cc

@@ -59,9 +59,9 @@ void Gnutella_Analyzer::Done()
 	if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
 		{
 		if ( Established() && gnutella_establish )
-			EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
+			EnqueueConnEvent(gnutella_establish, ConnVal());
 		else if ( ! Established () && gnutella_not_establish )
-			EnqueueConnEvent(gnutella_not_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
+			EnqueueConnEvent(gnutella_not_establish, ConnVal());
 		}
 
 	if ( gnutella_partial_binary_msg )
@@ -72,10 +72,10 @@ void Gnutella_Analyzer::Done()
 			{
 			if ( ! p->msg_sent && p->msg_pos )
 				EnqueueConnEvent(gnutella_partial_binary_msg,
-					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					ConnVal(),
 					make_intrusive<StringVal>(p->msg),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetBool((i == 0))},
+					val_mgr->Bool((i == 0)),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_pos)}
+					val_mgr->Count(p->msg_pos)
 				);
 
 			else if ( ! p->msg_sent && p->payload_left )
@@ -118,7 +118,7 @@ bool Gnutella_Analyzer::IsHTTP(std::string header)
 		return false;
 
 	if ( gnutella_http_notify )
-		EnqueueConnEvent(gnutella_http_notify, IntrusivePtr{AdoptRef{}, BuildConnVal()});
+		EnqueueConnEvent(gnutella_http_notify, ConnVal());
 
 	analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
 
@@ -177,8 +177,8 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
 			{
 			if ( gnutella_text_msg )
 				EnqueueConnEvent(gnutella_text_msg,
-					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					ConnVal(),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					val_mgr->Bool(orig),
 					make_intrusive<StringVal>(ms->headers.data())
 				);
 
@@ -189,7 +189,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
 				{
 				sent_establish = 1;
 
-				EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
+				EnqueueConnEvent(gnutella_establish, ConnVal());
 				}
 			}
 		}
@@ -215,16 +215,16 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
 
 	if ( gnutella_binary_msg )
 		EnqueueConnEvent(gnutella_binary_msg,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			val_mgr->Bool(is_orig),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_type)},
+			val_mgr->Count(p->msg_type),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_ttl)},
+			val_mgr->Count(p->msg_ttl),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_hops)},
+			val_mgr->Count(p->msg_hops),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_len)},
+			val_mgr->Count(p->msg_len),
 			make_intrusive<StringVal>(p->payload),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->payload_len)},
+			val_mgr->Count(p->payload_len),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD)))},
+			val_mgr->Bool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_left == 0))}
+			val_mgr->Bool((p->payload_left == 0))
 		);
 	}
 

src/analyzer/protocol/gssapi/gssapi-analyzer.pac

@@ -61,7 +61,7 @@ refine connection GSSAPI_Conn += {
 		%{
 		if ( gssapi_neg_result )
 			{
-			BifEvent::generate_gssapi_neg_result(bro_analyzer(),
+			BifEvent::enqueue_gssapi_neg_result(bro_analyzer(),
 			                                    bro_analyzer()->Conn(),
 			                                    binary_to_int64(${val.neg_state.encoding.content}));
 			}

src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac

@@ -4,90 +4,90 @@
 %}
 
 %code{
-RecordVal* BuildGTPv1Hdr(const GTPv1_Header* pdu)
+IntrusivePtr<RecordVal> BuildGTPv1Hdr(const GTPv1_Header* pdu)
 	{
-	RecordVal* rv = new RecordVal(BifType::Record::gtpv1_hdr);
+	auto rv = make_intrusive<RecordVal>(BifType::Record::gtpv1_hdr);
 
-	rv->Assign(0, val_mgr->GetCount(pdu->version()));
+	rv->Assign(0, val_mgr->Count(pdu->version()));
-	rv->Assign(1, val_mgr->GetBool(pdu->pt_flag()));
+	rv->Assign(1, val_mgr->Bool(pdu->pt_flag()));
-	rv->Assign(2, val_mgr->GetBool(pdu->rsv()));
+	rv->Assign(2, val_mgr->Bool(pdu->rsv()));
-	rv->Assign(3, val_mgr->GetBool(pdu->e_flag()));
+	rv->Assign(3, val_mgr->Bool(pdu->e_flag()));
-	rv->Assign(4, val_mgr->GetBool(pdu->s_flag()));
+	rv->Assign(4, val_mgr->Bool(pdu->s_flag()));
-	rv->Assign(5, val_mgr->GetBool(pdu->pn_flag()));
+	rv->Assign(5, val_mgr->Bool(pdu->pn_flag()));
-	rv->Assign(6, val_mgr->GetCount(pdu->msg_type()));
+	rv->Assign(6, val_mgr->Count(pdu->msg_type()));
-	rv->Assign(7, val_mgr->GetCount(pdu->length()));
+	rv->Assign(7, val_mgr->Count(pdu->length()));
-	rv->Assign(8, val_mgr->GetCount(pdu->teid()));
+	rv->Assign(8, val_mgr->Count(pdu->teid()));
 
 	if ( pdu->has_opt() )
 		{
-		rv->Assign(9, val_mgr->GetCount(pdu->opt_hdr()->seq()));
+		rv->Assign(9, val_mgr->Count(pdu->opt_hdr()->seq()));
-		rv->Assign(10, val_mgr->GetCount(pdu->opt_hdr()->n_pdu()));
+		rv->Assign(10, val_mgr->Count(pdu->opt_hdr()->n_pdu()));
-		rv->Assign(11, val_mgr->GetCount(pdu->opt_hdr()->next_type()));
+		rv->Assign(11, val_mgr->Count(pdu->opt_hdr()->next_type()));
 		}
 
 	return rv;
 	}
 
-Val* BuildIMSI(const InformationElement* ie)
+static IntrusivePtr<Val> BuildIMSI(const InformationElement* ie)
 	{
-	return val_mgr->GetCount(ie->imsi()->value());
+	return val_mgr->Count(ie->imsi()->value());
 	}
 
-Val* BuildRAI(const InformationElement* ie)
+static IntrusivePtr<Val> BuildRAI(const InformationElement* ie)
 	{
-	RecordVal* ev = new RecordVal(BifType::Record::gtp_rai);
+	auto ev = make_intrusive<RecordVal>(BifType::Record::gtp_rai);
-	ev->Assign(0, val_mgr->GetCount(ie->rai()->mcc()));
+	ev->Assign(0, val_mgr->Count(ie->rai()->mcc()));
-	ev->Assign(1, val_mgr->GetCount(ie->rai()->mnc()));
+	ev->Assign(1, val_mgr->Count(ie->rai()->mnc()));
-	ev->Assign(2, val_mgr->GetCount(ie->rai()->lac()));
+	ev->Assign(2, val_mgr->Count(ie->rai()->lac()));
-	ev->Assign(3, val_mgr->GetCount(ie->rai()->rac()));
+	ev->Assign(3, val_mgr->Count(ie->rai()->rac()));
 	return ev;
 	}
 
-Val* BuildRecovery(const InformationElement* ie)
+static IntrusivePtr<Val> BuildRecovery(const InformationElement* ie)
 	{
-	return val_mgr->GetCount(ie->recovery()->restart_counter());
+	return val_mgr->Count(ie->recovery()->restart_counter());
 	}
 
-Val* BuildSelectionMode(const InformationElement* ie)
+static IntrusivePtr<Val> BuildSelectionMode(const InformationElement* ie)
 	{
-	return val_mgr->GetCount(ie->selection_mode()->mode());
+	return val_mgr->Count(ie->selection_mode()->mode());
 	}
 
-Val* BuildTEID1(const InformationElement* ie)
+static IntrusivePtr<Val> BuildTEID1(const InformationElement* ie)
 	{
-	return val_mgr->GetCount(ie->teid1()->value());
+	return val_mgr->Count(ie->teid1()->value());
 	}
 
-Val* BuildTEID_ControlPlane(const InformationElement* ie)
+static IntrusivePtr<Val> BuildTEID_ControlPlane(const InformationElement* ie)
 	{
-	return val_mgr->GetCount(ie->teidcp()->value());
+	return val_mgr->Count(ie->teidcp()->value());
 	}
 
-Val* BuildNSAPI(const InformationElement* ie)
+static IntrusivePtr<Val> BuildNSAPI(const InformationElement* ie)
 	{
-	return val_mgr->GetCount(ie->nsapi()->nsapi());
+	return val_mgr->Count(ie->nsapi()->nsapi());
 	}
 
-Val* BuildChargingCharacteristics(const InformationElement* ie)
+static IntrusivePtr<Val> BuildChargingCharacteristics(const InformationElement* ie)
 	{
-	return val_mgr->GetCount(ie->charging_characteristics()->value());
+	return val_mgr->Count(ie->charging_characteristics()->value());
 	}
 
-Val* BuildTraceReference(const InformationElement* ie)
+static IntrusivePtr<Val> BuildTraceReference(const InformationElement* ie)
 	{
-	return val_mgr->GetCount(ie->trace_reference()->value());
+	return val_mgr->Count(ie->trace_reference()->value());
 	}
 
-Val* BuildTraceType(const InformationElement* ie)
+static IntrusivePtr<Val> BuildTraceType(const InformationElement* ie)
 	{
-	return val_mgr->GetCount(ie->trace_type()->value());
+	return val_mgr->Count(ie->trace_type()->value());
 	}
 
 Val* BuildEndUserAddr(const InformationElement* ie)
 	{
 	RecordVal* ev = new RecordVal(BifType::Record::gtp_end_user_addr);
-	ev->Assign(0, val_mgr->GetCount(ie->end_user_addr()->pdp_type_org()));
+	ev->Assign(0, val_mgr->Count(ie->end_user_addr()->pdp_type_org()));
-	ev->Assign(1, val_mgr->GetCount(ie->end_user_addr()->pdp_type_num()));
+	ev->Assign(1, val_mgr->Count(ie->end_user_addr()->pdp_type_num()));
 
 	int len = ie->end_user_addr()->pdp_addr().length();
 
@@ -161,7 +161,7 @@ Val* BuildQoS_Profile(const InformationElement* ie)
 	const u_char* d = (const u_char*) ie->qos_profile()->data().data();
 	int len = ie->qos_profile()->data().length();
 
-	ev->Assign(0, val_mgr->GetCount(ie->qos_profile()->alloc_retention_priority()));
+	ev->Assign(0, val_mgr->Count(ie->qos_profile()->alloc_retention_priority()));
 	ev->Assign(1, make_intrusive<StringVal>(new BroString(d, len, false)));
 
 	return ev;
@@ -195,25 +195,25 @@ Val* BuildPrivateExt(const InformationElement* ie)
 	const uint8* d = ie->private_ext()->value().data();
 	int len = ie->private_ext()->value().length();
 
-	ev->Assign(0, val_mgr->GetCount(ie->private_ext()->id()));
+	ev->Assign(0, val_mgr->Count(ie->private_ext()->id()));
 	ev->Assign(1, make_intrusive<StringVal>(new BroString((const u_char*) d, len, false)));
 
 	return ev;
 	}
 
-Val* BuildCause(const InformationElement* ie)
+static IntrusivePtr<Val> BuildCause(const InformationElement* ie)
 	{
-	return val_mgr->GetCount(ie->cause()->value());
+	return val_mgr->Count(ie->cause()->value());
 	}
 
-Val* BuildReorderReq(const InformationElement* ie)
+static IntrusivePtr<Val> BuildReorderReq(const InformationElement* ie)
 	{
-	return val_mgr->GetBool(ie->reorder_req()->req());
+	return val_mgr->Bool(ie->reorder_req()->req());
 	}
 
-Val* BuildChargingID(const InformationElement* ie)
+static IntrusivePtr<Val> BuildChargingID(const InformationElement* ie)
 	{
-	return val_mgr->GetCount(ie->charging_id()->value());;
+	return val_mgr->Count(ie->charging_id()->value());;
 	}
 
 Val* BuildChargingGatewayAddr(const InformationElement* ie)
@@ -228,16 +228,16 @@ Val* BuildChargingGatewayAddr(const InformationElement* ie)
 		return 0;
 	}
 
-Val* BuildTeardownInd(const InformationElement* ie)
+static IntrusivePtr<Val> BuildTeardownInd(const InformationElement* ie)
 	{
-	return val_mgr->GetBool(ie->teardown_ind()->ind());
+	return val_mgr->Bool(ie->teardown_ind()->ind());
 	}
 
 void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
 	{
 	if ( ! ::gtpv1_create_pdp_ctx_request ) return;
 
-	RecordVal* rv = new RecordVal(
+	auto rv = make_intrusive<RecordVal>(
 	  BifType::Record::gtp_create_pdp_ctx_request_elements);
 
 	const vector<InformationElement *> * v = pdu->create_pdp_ctx_request();
@@ -328,8 +328,8 @@ void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
 		}
 		}
 
-	BifEvent::generate_gtpv1_create_pdp_ctx_request(a, a->Conn(),
+	BifEvent::enqueue_gtpv1_create_pdp_ctx_request(a, a->Conn(),
-	                                                BuildGTPv1Hdr(pdu), rv);
+	                                               BuildGTPv1Hdr(pdu), std::move(rv));
 	}
 
 void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@@ -337,7 +337,7 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
 	if ( ! ::gtpv1_create_pdp_ctx_response )
 	    return;
 
-	RecordVal* rv = new RecordVal(
+	auto rv = make_intrusive<RecordVal>(
 	  BifType::Record::gtp_create_pdp_ctx_response_elements);
 
 	const vector<InformationElement *> * v = pdu->create_pdp_ctx_response();
@@ -397,8 +397,8 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
 		}
 		}
 
-	BifEvent::generate_gtpv1_create_pdp_ctx_response(a, a->Conn(),
+	BifEvent::enqueue_gtpv1_create_pdp_ctx_response(a, a->Conn(),
-	                                                 BuildGTPv1Hdr(pdu), rv);
+	                                                BuildGTPv1Hdr(pdu), std::move(rv));
 	}
 
 void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
@@ -406,7 +406,7 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
 	if ( ! ::gtpv1_update_pdp_ctx_request )
 	    return;
 
-	RecordVal* rv = new RecordVal(
+	auto rv = make_intrusive<RecordVal>(
 	  BifType::Record::gtp_update_pdp_ctx_request_elements);
 
 	const vector<InformationElement *> * v = pdu->update_pdp_ctx_request();
@@ -475,8 +475,8 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
 		}
 		}
 
-	BifEvent::generate_gtpv1_update_pdp_ctx_request(a, a->Conn(),
+	BifEvent::enqueue_gtpv1_update_pdp_ctx_request(a, a->Conn(),
-	                                                BuildGTPv1Hdr(pdu), rv);
+	                                               BuildGTPv1Hdr(pdu), std::move(rv));
 	}
 
 void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@@ -484,7 +484,7 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
 	if ( ! ::gtpv1_update_pdp_ctx_response )
 	    return;
 
-	RecordVal* rv = new RecordVal(
+	auto rv = make_intrusive<RecordVal>(
 	  BifType::Record::gtp_update_pdp_ctx_response_elements);
 
 	const vector<InformationElement *> * v = pdu->update_pdp_ctx_response();
@@ -535,8 +535,8 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
 		}
 		}
 
-	BifEvent::generate_gtpv1_update_pdp_ctx_response(a, a->Conn(),
+	BifEvent::enqueue_gtpv1_update_pdp_ctx_response(a, a->Conn(),
-	                                                 BuildGTPv1Hdr(pdu), rv);
+	                                                BuildGTPv1Hdr(pdu), std::move(rv));
 	}
 
 void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
@@ -544,7 +544,7 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
 	if ( ! ::gtpv1_delete_pdp_ctx_request )
 	    return;
 
-	RecordVal* rv = new RecordVal(
+	auto rv = make_intrusive<RecordVal>(
 	  BifType::Record::gtp_delete_pdp_ctx_request_elements);
 
 	const vector<InformationElement *> * v = pdu->delete_pdp_ctx_request();
@@ -569,8 +569,8 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
 		}
 		}
 
-	BifEvent::generate_gtpv1_delete_pdp_ctx_request(a, a->Conn(),
+	BifEvent::enqueue_gtpv1_delete_pdp_ctx_request(a, a->Conn(),
-	                                                BuildGTPv1Hdr(pdu), rv);
+	                                               BuildGTPv1Hdr(pdu), std::move(rv));
 	}
 
 void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@@ -578,7 +578,7 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
 	if ( ! ::gtpv1_delete_pdp_ctx_response )
 	    return;
 
-	RecordVal* rv = new RecordVal(
+	auto rv = make_intrusive<RecordVal>(
 	  BifType::Record::gtp_delete_pdp_ctx_response_elements);
 
 	const vector<InformationElement *> * v = pdu->delete_pdp_ctx_response();
@@ -600,8 +600,8 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
 		}
 		}
 
-	BifEvent::generate_gtpv1_delete_pdp_ctx_response(a, a->Conn(),
+	BifEvent::enqueue_gtpv1_delete_pdp_ctx_response(a, a->Conn(),
-	                                                 BuildGTPv1Hdr(pdu), rv);
+	                                                BuildGTPv1Hdr(pdu), std::move(rv));
 	}
 %}
 
@@ -679,7 +679,7 @@ flow GTPv1_Flow(is_orig: bool)
 			}
 
 		if ( ::gtpv1_message )
-			BifEvent::generate_gtpv1_message(a, c, BuildGTPv1Hdr(pdu));
+			BifEvent::enqueue_gtpv1_message(a, c, BuildGTPv1Hdr(pdu));
 
 		switch ( ${pdu.msg_type} ) {
 		case 16:
@@ -759,8 +759,8 @@ flow GTPv1_Flow(is_orig: bool)
 			}
 
 		if ( ::gtpv1_g_pdu_packet )
-			BifEvent::generate_gtpv1_g_pdu_packet(a, c, BuildGTPv1Hdr(pdu),
+			BifEvent::enqueue_gtpv1_g_pdu_packet(a, c, BuildGTPv1Hdr(pdu),
-			                                      inner->BuildPktHdrVal());
+			                                     {AdoptRef{}, inner->BuildPktHdrVal()});
 
 		EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1);
 

src/analyzer/protocol/http/HTTP.cc

@@ -618,11 +618,11 @@ Val* HTTP_Message::BuildMessageStat(bool interrupted, const char* msg)
 	RecordVal* stat = new RecordVal(http_message_stat);
 	int field = 0;
 	stat->Assign(field++, make_intrusive<Val>(start_time, TYPE_TIME));
-	stat->Assign(field++, val_mgr->GetBool(interrupted));
+	stat->Assign(field++, val_mgr->Bool(interrupted));
 	stat->Assign(field++, make_intrusive<StringVal>(msg));
-	stat->Assign(field++, val_mgr->GetCount(body_length));
+	stat->Assign(field++, val_mgr->Count(body_length));
-	stat->Assign(field++, val_mgr->GetCount(content_gap_length));
+	stat->Assign(field++, val_mgr->Count(content_gap_length));
-	stat->Assign(field++, val_mgr->GetCount(header_length));
+	stat->Assign(field++, val_mgr->Count(header_length));
 	return stat;
 	}
 
@@ -650,8 +650,8 @@ void HTTP_Message::Done(bool interrupted, const char* detail)
 
 	if ( http_message_done )
 		GetAnalyzer()->EnqueueConnEvent(http_message_done,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			val_mgr->Bool(is_orig),
 			IntrusivePtr{AdoptRef{}, BuildMessageStat(interrupted, detail)}
 		);
 
@@ -681,8 +681,8 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
 
 	if ( http_begin_entity )
 		analyzer->EnqueueConnEvent(http_begin_entity,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+			val_mgr->Bool(is_orig)
 		);
 	}
 
@@ -696,8 +696,8 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
 
 	if ( http_end_entity )
 		analyzer->EnqueueConnEvent(http_end_entity,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+			val_mgr->Bool(is_orig)
 		);
 
 	current_entity = (HTTP_Entity*) entity->Parent();
@@ -735,8 +735,8 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
 	{
 	if ( http_all_headers )
 		analyzer->EnqueueConnEvent(http_all_headers,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			val_mgr->Bool(is_orig),
 			IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
 		);
 
@@ -746,8 +746,8 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
 		StringVal* subty = current_entity->ContentSubType();
 
 		analyzer->EnqueueConnEvent(http_content_type,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			val_mgr->Bool(is_orig),
 			IntrusivePtr{NewRef{}, ty},
 			IntrusivePtr{NewRef{}, subty}
 		);
@@ -1172,13 +1172,13 @@ void HTTP_Analyzer::GenStats()
 	if ( http_stats )
 		{
 		auto r = make_intrusive<RecordVal>(http_stats_rec);
-		r->Assign(0, val_mgr->GetCount(num_requests));
+		r->Assign(0, val_mgr->Count(num_requests));
-		r->Assign(1, val_mgr->GetCount(num_replies));
+		r->Assign(1, val_mgr->Count(num_replies));
 		r->Assign(2, make_intrusive<Val>(request_version.ToDouble(), TYPE_DOUBLE));
 		r->Assign(3, make_intrusive<Val>(reply_version.ToDouble(), TYPE_DOUBLE));
 
 		// DEBUG_MSG("%.6f http_stats\n", network_time);
-		EnqueueConnEvent(http_stats, IntrusivePtr{AdoptRef{}, BuildConnVal()}, std::move(r));
+		EnqueueConnEvent(http_stats, ConnVal(), std::move(r));
 		}
 	}
 
@@ -1378,7 +1378,7 @@ void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
 	if ( http_event )
 		// DEBUG_MSG("%.6f http_event\n", network_time);
 		EnqueueConnEvent(http_event,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			make_intrusive<StringVal>(category),
 			IntrusivePtr{AdoptRef{}, detail}
 		);
@@ -1417,7 +1417,7 @@ void HTTP_Analyzer::HTTP_Request()
 	if ( http_request )
 		// DEBUG_MSG("%.6f http_request\n", network_time);
 		EnqueueConnEvent(http_request,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			IntrusivePtr{NewRef{}, request_method},
 			IntrusivePtr{AdoptRef{}, TruncateURI(request_URI->AsStringVal())},
 			IntrusivePtr{AdoptRef{}, TruncateURI(unescaped_URI->AsStringVal())},
@@ -1429,9 +1429,9 @@ void HTTP_Analyzer::HTTP_Reply()
 	{
 	if ( http_reply )
 		EnqueueConnEvent(http_reply,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			make_intrusive<StringVal>(fmt("%.1f", reply_version.ToDouble())),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
+			val_mgr->Count(reply_code),
 			reply_reason_phrase ?
 				IntrusivePtr{NewRef{}, reply_reason_phrase} :
 				make_intrusive<StringVal>("<empty>")
@@ -1506,7 +1506,7 @@ void HTTP_Analyzer::ReplyMade(bool interrupted, const char* msg)
 
 		if ( http_connection_upgrade )
 			EnqueueConnEvent(http_connection_upgrade,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
 				make_intrusive<StringVal>(upgrade_protocol)
 			);
 		}
@@ -1670,8 +1670,9 @@ void HTTP_Analyzer::HTTP_Header(bool is_orig, mime::MIME_Header* h)
 			DEBUG_MSG("%.6f http_header\n", network_time);
 
 		EnqueueConnEvent(http_header,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			val_mgr->Bool(is_orig),
+			IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())},
 			IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())->ToUpper()},
 			IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_value())}
 		);
@@ -1682,9 +1683,9 @@ void HTTP_Analyzer::HTTP_EntityData(bool is_orig, BroString* entity_data)
 	{
 	if ( http_entity_data )
 		EnqueueConnEvent(http_entity_data,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			val_mgr->Bool(is_orig),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(entity_data->Len())},
+			val_mgr->Count(entity_data->Len()),
 			make_intrusive<StringVal>(entity_data)
 		);
 	else

src/analyzer/protocol/http/events.bif

@@ -54,7 +54,9 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
 ##
 ## is_orig: True if the header was sent by the originator of the TCP connection.
 ##
-## name: The name of the header.
+## original_name: The name of the header (unaltered).
+##
+## name: The name of the header (converted to all uppercase).
 ##
 ## value: The value of the header.
 ##
@@ -64,6 +66,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
 ##
 ## .. note:: This event is also raised for headers found in nested body
 ##    entities.
+event http_header%(c: connection, is_orig: bool, original_name: string, name: string, value: string%);
 event http_header%(c: connection, is_orig: bool, name: string, value: string%);
 
 ## Generated for HTTP headers, passing on all headers of an HTTP message at

src/analyzer/protocol/http/functions.bif

@@ -31,7 +31,7 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any
 	else
 		reporter->Error("no analyzer associated with connection record");
 
-	return 0;
+	return nullptr;
 	%}
 
 ## Unescapes all characters in a URI (decode every ``%xx`` group).
@@ -52,5 +52,5 @@ function unescape_URI%(URI: string%): string
 	const u_char* line = URI->Bytes();
 	const u_char* const line_end = line + URI->Len();
 
-	return new StringVal(analyzer::http::unescape_URI(line, line_end, 0));
+	return make_intrusive<StringVal>(analyzer::http::unescape_URI(line, line_end, 0));
 	%}

src/analyzer/protocol/icmp/ICMP.cc

@@ -203,7 +203,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
     {
 	if ( icmp_sent )
 		EnqueueConnEvent(icmp_sent,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)}
 		);
 
@@ -212,7 +212,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
 		BroString* payload = new BroString(data, std::min(len, caplen), false);
 
 		EnqueueConnEvent(icmp_sent_payload,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)},
 			make_intrusive<StringVal>(payload)
 		);
@@ -228,11 +228,11 @@ RecordVal* ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len,
 
 		icmp_conn_val->Assign(0, make_intrusive<AddrVal>(Conn()->OrigAddr()));
 		icmp_conn_val->Assign(1, make_intrusive<AddrVal>(Conn()->RespAddr()));
-		icmp_conn_val->Assign(2, val_mgr->GetCount(icmpp->icmp_type));
+		icmp_conn_val->Assign(2, val_mgr->Count(icmpp->icmp_type));
-		icmp_conn_val->Assign(3, val_mgr->GetCount(icmpp->icmp_code));
+		icmp_conn_val->Assign(3, val_mgr->Count(icmpp->icmp_code));
-		icmp_conn_val->Assign(4, val_mgr->GetCount(len));
+		icmp_conn_val->Assign(4, val_mgr->Count(len));
-		icmp_conn_val->Assign(5, val_mgr->GetCount(ip_hdr->TTL()));
+		icmp_conn_val->Assign(5, val_mgr->Count(ip_hdr->TTL()));
-		icmp_conn_val->Assign(6, val_mgr->GetBool(icmpv6));
+		icmp_conn_val->Assign(6, val_mgr->Bool(icmpv6));
 		}
 
 	Ref(icmp_conn_val);
@@ -355,18 +355,18 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
 	RecordVal* id_val = new RecordVal(conn_id);
 
 	id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
-	id_val->Assign(1, val_mgr->GetPort(src_port, proto));
+	id_val->Assign(1, val_mgr->Port(src_port, proto));
 	id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
-	id_val->Assign(3, val_mgr->GetPort(dst_port, proto));
+	id_val->Assign(3, val_mgr->Port(dst_port, proto));
 
 	iprec->Assign(0, id_val);
-	iprec->Assign(1, val_mgr->GetCount(ip_len));
+	iprec->Assign(1, val_mgr->Count(ip_len));
-	iprec->Assign(2, val_mgr->GetCount(proto));
+	iprec->Assign(2, val_mgr->Count(proto));
-	iprec->Assign(3, val_mgr->GetCount(frag_offset));
+	iprec->Assign(3, val_mgr->Count(frag_offset));
-	iprec->Assign(4, val_mgr->GetBool(bad_hdr_len));
+	iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
-	iprec->Assign(5, val_mgr->GetBool(bad_checksum));
+	iprec->Assign(5, val_mgr->Bool(bad_checksum));
-	iprec->Assign(6, val_mgr->GetBool(MF));
+	iprec->Assign(6, val_mgr->Bool(MF));
-	iprec->Assign(7, val_mgr->GetBool(DF));
+	iprec->Assign(7, val_mgr->Bool(DF));
 
 	return iprec;
 	}
@@ -414,19 +414,19 @@ RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
 	RecordVal* id_val = new RecordVal(conn_id);
 
 	id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
-	id_val->Assign(1, val_mgr->GetPort(src_port, proto));
+	id_val->Assign(1, val_mgr->Port(src_port, proto));
 	id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
-	id_val->Assign(3, val_mgr->GetPort(dst_port, proto));
+	id_val->Assign(3, val_mgr->Port(dst_port, proto));
 
 	iprec->Assign(0, id_val);
-	iprec->Assign(1, val_mgr->GetCount(ip_len));
+	iprec->Assign(1, val_mgr->Count(ip_len));
-	iprec->Assign(2, val_mgr->GetCount(proto));
+	iprec->Assign(2, val_mgr->Count(proto));
-	iprec->Assign(3, val_mgr->GetCount(frag_offset));
+	iprec->Assign(3, val_mgr->Count(frag_offset));
-	iprec->Assign(4, val_mgr->GetBool(bad_hdr_len));
+	iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
 	// bad_checksum is always false since IPv6 layer doesn't have a checksum.
-	iprec->Assign(5, val_mgr->GetFalse());
+	iprec->Assign(5, val_mgr->False());
-	iprec->Assign(6, val_mgr->GetBool(MF));
+	iprec->Assign(6, val_mgr->Bool(MF));
-	iprec->Assign(7, val_mgr->GetBool(DF));
+	iprec->Assign(7, val_mgr->Bool(DF));
 
 	return iprec;
 	}
@@ -474,14 +474,14 @@ void ICMP_Analyzer::UpdateEndpointVal(RecordVal* endp, bool is_orig)
 	int size = is_orig ? request_len : reply_len;
 	if ( size < 0 )
 		{
-		endp->Assign(0, val_mgr->GetCount(0));
+		endp->Assign(0, val_mgr->Count(0));
-		endp->Assign(1, val_mgr->GetCount(int(ICMP_INACTIVE)));
+		endp->Assign(1, val_mgr->Count(int(ICMP_INACTIVE)));
 		}
 
 	else
 		{
-		endp->Assign(0, val_mgr->GetCount(size));
+		endp->Assign(0, val_mgr->Count(size));
-		endp->Assign(1, val_mgr->GetCount(int(ICMP_ACTIVE)));
+		endp->Assign(1, val_mgr->Count(int(ICMP_ACTIVE)));
 		}
 	}
 
@@ -515,10 +515,10 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
 	BroString* payload = new BroString(data, caplen, false);
 
 	EnqueueConnEvent(f,
-		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		ConnVal(),
 		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr)},
-		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iid)},
+		val_mgr->Count(iid),
-		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iseq)},
+		val_mgr->Count(iseq),
 		make_intrusive<StringVal>(payload)
 	);
 	}
@@ -543,15 +543,15 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
 	int opt_offset = sizeof(reachable) + sizeof(retrans);
 
 	EnqueueConnEvent(f,
-		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		ConnVal(),
 		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
-		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_num_addrs)}, // Cur Hop Limit
+		val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit
-		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x80)}, // Managed
+		val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed
-		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x40)}, // Other
+		val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other
-		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x20)}, // Home Agent
+		val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent
-		IntrusivePtr{AdoptRef{}, val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3)}, // Pref
+		val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref
-		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x04)}, // Proxy
+		val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy
-		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_wpa & 0x02)}, // Reserved
+		val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved
 		make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
 		make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds),
 		make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds),
@@ -576,11 +576,11 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
 	int opt_offset = sizeof(in6_addr);
 
 	EnqueueConnEvent(f,
-		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		ConnVal(),
 		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
-		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80)}, // Router
+		val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router
-		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40)}, // Solicited
+		val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited
-		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20)}, // Override
+		val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override
 		make_intrusive<AddrVal>(tgtaddr),
 		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
 	);
@@ -603,7 +603,7 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
 	int opt_offset = sizeof(in6_addr);
 
 	EnqueueConnEvent(f,
-		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		ConnVal(),
 		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
 		make_intrusive<AddrVal>(tgtaddr),
 		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
@@ -630,7 +630,7 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
 	int opt_offset = 2 * sizeof(in6_addr);
 
 	EnqueueConnEvent(f,
-		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		ConnVal(),
 		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
 		make_intrusive<AddrVal>(tgtaddr),
 		make_intrusive<AddrVal>(dstaddr),
@@ -648,7 +648,7 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
 		return;
 
 	EnqueueConnEvent(f,
-		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		ConnVal(),
 		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
 		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen, data)}
 	);
@@ -673,9 +673,9 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
 
 	if ( f )
 		EnqueueConnEvent(f,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 0, ip_hdr)},
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
+			val_mgr->Count(icmpp->icmp_code),
 			IntrusivePtr{AdoptRef{}, ExtractICMP4Context(caplen, data)}
 		);
 	}
@@ -711,9 +711,9 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
 
 	if ( f )
 		EnqueueConnEvent(f,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
+			val_mgr->Count(icmpp->icmp_code),
 			IntrusivePtr{AdoptRef{}, ExtractICMP6Context(caplen, data)}
 		);
 	}
@@ -752,8 +752,8 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
 			}
 
 		RecordVal* rv = new RecordVal(icmp6_nd_option_type);
-		rv->Assign(0, val_mgr->GetCount(type));
+		rv->Assign(0, val_mgr->Count(type));
-		rv->Assign(1, val_mgr->GetCount(length));
+		rv->Assign(1, val_mgr->Count(length));
 
 		// Adjust length to be in units of bytes, exclude type/length fields.
 		length = length * 8 - 2;
@@ -792,9 +792,9 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
 				uint32_t valid_life = *((const uint32_t*)(data + 2));
 				uint32_t prefer_life = *((const uint32_t*)(data + 6));
 				in6_addr prefix = *((const in6_addr*)(data + 14));
-				info->Assign(0, val_mgr->GetCount(prefix_len));
+				info->Assign(0, val_mgr->Count(prefix_len));
-				info->Assign(1, val_mgr->GetBool(L_flag));
+				info->Assign(1, val_mgr->Bool(L_flag));
-				info->Assign(2, val_mgr->GetBool(A_flag));
+				info->Assign(2, val_mgr->Bool(A_flag));
 				info->Assign(3, make_intrusive<IntervalVal>((double)ntohl(valid_life), Seconds));
 				info->Assign(4, make_intrusive<IntervalVal>((double)ntohl(prefer_life), Seconds));
 				info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix)));
@@ -825,7 +825,7 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
 			// MTU option
 			{
 			if ( caplen >= 6 )
-				rv->Assign(5, val_mgr->GetCount(ntohl(*((const uint32_t*)(data + 2)))));
+				rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2)))));
 			else
 				set_payload_field = true;
 

src/analyzer/protocol/ident/Ident.cc

@@ -85,9 +85,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 			}
 
 		EnqueueConnEvent(ident_request,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
+			val_mgr->Port(local_port, TRANSPORT_TCP),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)}
+			val_mgr->Port(remote_port, TRANSPORT_TCP)
 		);
 
 		did_deliver = true;
@@ -146,9 +146,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 			{
 			if ( ident_error )
 				EnqueueConnEvent(ident_error,
-					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					ConnVal(),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
+					val_mgr->Port(local_port, TRANSPORT_TCP),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
+					val_mgr->Port(remote_port, TRANSPORT_TCP),
 					make_intrusive<StringVal>(end_of_line - line, line)
 				);
 			}
@@ -179,9 +179,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 			line = skip_whitespace(colon + 1, end_of_line);
 
 			EnqueueConnEvent(ident_reply,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
+				val_mgr->Port(local_port, TRANSPORT_TCP),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
+				val_mgr->Port(remote_port, TRANSPORT_TCP),
 				make_intrusive<StringVal>(end_of_line - line, line),
 				make_intrusive<StringVal>(sys_type_s)
 			);

src/analyzer/protocol/imap/imap-analyzer.pac

@@ -45,7 +45,7 @@ refine connection IMAP_Conn += {
 				bro_analyzer()->StartTLS();
 
 				if ( imap_starttls )
-					BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
+					BifEvent::enqueue_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
 				}
 			else
 				reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS");
@@ -59,14 +59,15 @@ refine connection IMAP_Conn += {
 		if ( ! imap_capabilities )
 			return true;
 
-		VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType());
+		auto capv = make_intrusive<VectorVal>(internal_type("string_vec")->AsVectorType());
+
 		for ( unsigned int i = 0; i< capabilities->size(); i++ )
 			{
 			const bytestring& capability = (*capabilities)[i]->cap();
 			capv->Assign(i, make_intrusive<StringVal>(capability.length(), (const char*)capability.data()));
 			}
 
-		BifEvent::generate_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), capv);
+		BifEvent::enqueue_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), std::move(capv));
 		return true;
 		%}
 

src/analyzer/protocol/irc/IRC.cc

@@ -235,11 +235,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				}
 
 			EnqueueConnEvent(irc_network_info,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				val_mgr->Bool(orig),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
+				val_mgr->Int(users),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
+				val_mgr->Int(services),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
+				val_mgr->Int(servers)
 			);
 			}
 			break;
@@ -282,8 +282,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				}
 
 			EnqueueConnEvent(irc_names_info,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				val_mgr->Bool(orig),
 				make_intrusive<StringVal>(type.c_str()),
 				make_intrusive<StringVal>(channel.c_str()),
 				std::move(set)
@@ -316,11 +316,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				}
 
 			EnqueueConnEvent(irc_server_info,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				val_mgr->Bool(orig),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
+				val_mgr->Int(users),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
+				val_mgr->Int(services),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
+				val_mgr->Int(servers)
 			);
 			}
 			break;
@@ -338,9 +338,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 					channels = atoi(parts[i - 1].c_str());
 
 			EnqueueConnEvent(irc_channel_info,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				val_mgr->Bool(orig),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(channels)}
+				val_mgr->Int(channels)
 			);
 			}
 			break;
@@ -370,8 +370,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				}
 
 			EnqueueConnEvent(irc_global_users,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				val_mgr->Bool(orig),
 				make_intrusive<StringVal>(eop - prefix, prefix),
 				make_intrusive<StringVal>(++msg)
 			);
@@ -396,8 +396,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 			zeek::Args vl;
 			vl.reserve(6);
-			vl.emplace_back(AdoptRef{}, BuildConnVal());
+			vl.emplace_back(ConnVal());
-			vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
+			vl.emplace_back(val_mgr->Bool(orig));
 			vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
 			vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
 			vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
@@ -435,8 +435,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				}
 
 			EnqueueConnEvent(irc_whois_operator_line,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				val_mgr->Bool(orig),
 				make_intrusive<StringVal>(parts[0].c_str())
 			);
 			}
@@ -473,8 +473,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				}
 
 			EnqueueConnEvent(irc_whois_channel_line,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				val_mgr->Bool(orig),
 				make_intrusive<StringVal>(nick.c_str()),
 				std::move(set)
 			);
@@ -504,8 +504,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 					++t;
 
 				EnqueueConnEvent(irc_channel_topic,
-					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					ConnVal(),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					val_mgr->Bool(orig),
 					make_intrusive<StringVal>(parts[1].c_str()),
 					make_intrusive<StringVal>(t)
 				);
@@ -538,8 +538,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				parts[7] = parts[7].substr(1);
 
 			EnqueueConnEvent(irc_who_line,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				val_mgr->Bool(orig),
 				make_intrusive<StringVal>(parts[0].c_str()),
 				make_intrusive<StringVal>(parts[1].c_str()),
 				make_intrusive<StringVal>(parts[2].c_str()),
@@ -547,7 +547,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				make_intrusive<StringVal>(parts[4].c_str()),
 				make_intrusive<StringVal>(parts[5].c_str()),
 				make_intrusive<StringVal>(parts[6].c_str()),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(atoi(parts[7].c_str()))},
+				val_mgr->Int(atoi(parts[7].c_str())),
 				make_intrusive<StringVal>(parts[8].c_str())
 			);
 			}
@@ -560,8 +560,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		case 436:
 			if ( irc_invalid_nick )
 				EnqueueConnEvent(irc_invalid_nick,
-					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					ConnVal(),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}
+					val_mgr->Bool(orig)
 				);
 			break;
 
@@ -570,9 +570,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		case 491:  // user is not operator
 			if ( irc_oper_response )
 				EnqueueConnEvent(irc_oper_response,
-					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					ConnVal(),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					val_mgr->Bool(orig),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(code == 381)}
+					val_mgr->Bool(code == 381)
 				);
 			break;
 
@@ -585,10 +585,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		default:
 			if ( irc_reply )
 				EnqueueConnEvent(irc_reply,
-					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					ConnVal(),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					val_mgr->Bool(orig),
 					make_intrusive<StringVal>(prefix.c_str()),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(code)},
+					val_mgr->Count(code),
 					make_intrusive<StringVal>(params.c_str())
 				);
 			break;
@@ -656,17 +656,15 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 			if ( irc_dcc_message )
 				EnqueueConnEvent(irc_dcc_message,
-					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					ConnVal(),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					val_mgr->Bool(orig),
 					make_intrusive<StringVal>(prefix.c_str()),
 					make_intrusive<StringVal>(target.c_str()),
 					make_intrusive<StringVal>(parts[1].c_str()),
 					make_intrusive<StringVal>(parts[2].c_str()),
 					make_intrusive<AddrVal>(htonl(raw_ip)),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(atoi(parts[4].c_str()))},
+					val_mgr->Count(atoi(parts[4].c_str())),
-					IntrusivePtr{AdoptRef{}, parts.size() >= 6 ?
+					parts.size() >= 6 ? val_mgr->Count(atoi(parts[5].c_str())) : val_mgr->Count(0)
-						val_mgr->GetCount(atoi(parts[5].c_str())) :
-						val_mgr->GetCount(0)}
 				);
 			}
 
@@ -674,8 +672,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			{
 			if ( irc_privmsg_message )
 				EnqueueConnEvent(irc_privmsg_message,
-					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					ConnVal(),
-					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					val_mgr->Bool(orig),
 					make_intrusive<StringVal>(prefix.c_str()),
 					make_intrusive<StringVal>(target.c_str()),
 					make_intrusive<StringVal>(message.c_str())
@@ -699,8 +697,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			message = message.substr(1);
 
 		EnqueueConnEvent(irc_notice_message,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			make_intrusive<StringVal>(prefix.c_str()),
 			make_intrusive<StringVal>(target.c_str()),
 			make_intrusive<StringVal>(message.c_str())
@@ -723,8 +721,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			message = message.substr(1);
 
 		EnqueueConnEvent(irc_squery_message,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			make_intrusive<StringVal>(prefix.c_str()),
 			make_intrusive<StringVal>(target.c_str()),
 			make_intrusive<StringVal>(message.c_str())
@@ -737,20 +735,20 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		vector<string> parts = SplitWords(params, ' ');
 		zeek::Args vl;
 		vl.reserve(6);
-		vl.emplace_back(AdoptRef{}, BuildConnVal());
+		vl.emplace_back(ConnVal());
-		vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
+		vl.emplace_back(val_mgr->Bool(orig));
 
 		if ( parts.size() > 0 )
 			vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
-		else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
+		else vl.emplace_back(val_mgr->EmptyString());
 
 		if ( parts.size() > 1 )
 			vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
-		else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
+		else vl.emplace_back(val_mgr->EmptyString());
 
 		if ( parts.size() > 2 )
 			vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
-		else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
+		else vl.emplace_back(val_mgr->EmptyString());
 
 		string realname;
 		for ( unsigned int i = 3; i < parts.size(); i++ )
@@ -772,8 +770,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		vector<string> parts = SplitWords(params, ' ');
 		if ( parts.size() == 2 )
 			EnqueueConnEvent(irc_oper_message,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				val_mgr->Bool(orig),
 				make_intrusive<StringVal>(parts[0].c_str()),
 				make_intrusive<StringVal>(parts[1].c_str())
 			);
@@ -794,8 +792,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		zeek::Args vl;
 		vl.reserve(6);
-		vl.emplace_back(AdoptRef{}, BuildConnVal());
+		vl.emplace_back(ConnVal());
-		vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
+		vl.emplace_back(val_mgr->Bool(orig));
 		vl.emplace_back(make_intrusive<StringVal>(prefix.c_str()));
 		vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
 		vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
@@ -812,7 +810,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			vl.emplace_back(make_intrusive<StringVal>(comment.c_str()));
 			}
 		else
-			vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
+			vl.emplace_back(val_mgr->EmptyString());
 
 		EnqueueConnEvent(irc_kick_message, std::move(vl));
 		}
@@ -863,8 +861,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			}
 
 		EnqueueConnEvent(irc_join_message,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			std::move(list)
 		);
 		}
@@ -923,8 +921,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			}
 
 		EnqueueConnEvent(irc_join_message,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			std::move(list)
 		);
 		}
@@ -962,8 +960,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			}
 
 		EnqueueConnEvent(irc_part_message,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			make_intrusive<StringVal>(nick.c_str()),
 			std::move(set),
 			make_intrusive<StringVal>(message.c_str())
@@ -985,8 +983,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			}
 
 		EnqueueConnEvent(irc_quit_message,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			make_intrusive<StringVal>(nickname.c_str()),
 			make_intrusive<StringVal>(message.c_str())
 		);
@@ -999,8 +997,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			nick = nick.substr(1);
 
 		EnqueueConnEvent(irc_nick_message,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			make_intrusive<StringVal>(prefix.c_str()),
 			make_intrusive<StringVal>(nick.c_str())
 		);
@@ -1024,12 +1022,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			parts[0] = parts[0].substr(1);
 
 		EnqueueConnEvent(irc_who_message,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			parts.size() > 0 ?
 				make_intrusive<StringVal>(parts[0].c_str()) :
-				IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
+				val_mgr->EmptyString(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(oper)}
+			val_mgr->Bool(oper)
 		);
 		}
 
@@ -1054,8 +1052,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			users = parts[0];
 
 		EnqueueConnEvent(irc_whois_message,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			make_intrusive<StringVal>(server.c_str()),
 			make_intrusive<StringVal>(users.c_str())
 		);
@@ -1067,8 +1065,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			params = params.substr(1);
 
 		EnqueueConnEvent(irc_error_message,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			make_intrusive<StringVal>(prefix.c_str()),
 			make_intrusive<StringVal>(params.c_str())
 		);
@@ -1083,8 +1081,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				parts[1] = parts[1].substr(1);
 
 			EnqueueConnEvent(irc_invite_message,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				val_mgr->Bool(orig),
 				make_intrusive<StringVal>(prefix.c_str()),
 				make_intrusive<StringVal>(parts[0].c_str()),
 				make_intrusive<StringVal>(parts[1].c_str())
@@ -1098,8 +1096,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		{
 		if ( params.size() > 0 )
 			EnqueueConnEvent(irc_mode_message,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				val_mgr->Bool(orig),
 				make_intrusive<StringVal>(prefix.c_str()),
 				make_intrusive<StringVal>(params.c_str())
 			);
@@ -1111,8 +1109,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	else if ( irc_password_message && command == "PASS" )
 		{
 		EnqueueConnEvent(irc_password_message,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			make_intrusive<StringVal>(params.c_str())
 		);
 		}
@@ -1133,8 +1131,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			}
 
 		EnqueueConnEvent(irc_squit_message,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			val_mgr->Bool(orig),
 			make_intrusive<StringVal>(prefix.c_str()),
 			make_intrusive<StringVal>(server.c_str()),
 			make_intrusive<StringVal>(message.c_str())
@@ -1147,8 +1145,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( irc_request )
 			{
 			EnqueueConnEvent(irc_request,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				val_mgr->Bool(orig),
 				make_intrusive<StringVal>(prefix.c_str()),
 				make_intrusive<StringVal>(command.c_str()),
 				make_intrusive<StringVal>(params.c_str())
@@ -1161,8 +1159,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( irc_message )
 			{
 			EnqueueConnEvent(irc_message,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
-				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				val_mgr->Bool(orig),
 				make_intrusive<StringVal>(prefix.c_str()),
 				make_intrusive<StringVal>(command.c_str()),
 				make_intrusive<StringVal>(params.c_str())
@@ -1196,7 +1194,7 @@ void IRC_Analyzer::StartTLS()
 		AddChildAnalyzer(ssl);
 
 	if ( irc_starttls )
-		EnqueueConnEvent(irc_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
+		EnqueueConnEvent(irc_starttls, ConnVal());
 	}
 
 vector<string> IRC_Analyzer::SplitWords(const string& input, char split)

src/analyzer/protocol/krb/KRB.cc

@@ -87,7 +87,9 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 		}
 	}
 
-StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype)
+IntrusivePtr<StringVal> KRB_Analyzer::GetAuthenticationInfo(const BroString* principal,
+                                                            const BroString* ciphertext,
+                                                            const bro_uint_t enctype)
 	{
 #ifdef USE_KRB5
 	if ( !krb_available )
@@ -145,7 +147,7 @@ StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const
 		return nullptr;
 		}
 
-	StringVal* ret = new StringVal(cp);
+	auto ret = make_intrusive<StringVal>(cp);
 
 	krb5_free_unparsed_name(krb_context, cp);
 	krb5_free_ticket(krb_context, tkt);

src/analyzer/protocol/krb/KRB.h

@@ -25,7 +25,9 @@ public:
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new KRB_Analyzer(conn); }
 
-	StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype);
+	IntrusivePtr<StringVal> GetAuthenticationInfo(const BroString* principal,
+	                                              const BroString* ciphertext,
+	                                              const bro_uint_t enctype);
 
 protected:
 

src/analyzer/protocol/krb/KRB_TCP.h

@@ -21,7 +21,10 @@ public:
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
 	void EndpointEOF(bool is_orig) override;
 
-	StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype) { return val_mgr->GetEmptyString(); }
+	IntrusivePtr<StringVal> GetAuthenticationInfo(const BroString* principal,
+	                                              const BroString* ciphertext,
+	                                              const bro_uint_t enctype)
+		{ return val_mgr->EmptyString(); }
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new KRB_Analyzer(conn); }

src/analyzer/protocol/krb/krb-analyzer.pac

@@ -10,19 +10,19 @@ RecordVal* proc_krb_kdc_options(const KRB_KDC_Options* opts)
 {
 	RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Options);
 
-	rv->Assign(0, val_mgr->GetBool(opts->forwardable()));
+	rv->Assign(0, val_mgr->Bool(opts->forwardable()));
-	rv->Assign(1, val_mgr->GetBool(opts->forwarded()));
+	rv->Assign(1, val_mgr->Bool(opts->forwarded()));
-	rv->Assign(2, val_mgr->GetBool(opts->proxiable()));
+	rv->Assign(2, val_mgr->Bool(opts->proxiable()));
-	rv->Assign(3, val_mgr->GetBool(opts->proxy()));
+	rv->Assign(3, val_mgr->Bool(opts->proxy()));
-	rv->Assign(4, val_mgr->GetBool(opts->allow_postdate()));
+	rv->Assign(4, val_mgr->Bool(opts->allow_postdate()));
-	rv->Assign(5, val_mgr->GetBool(opts->postdated()));
+	rv->Assign(5, val_mgr->Bool(opts->postdated()));
-	rv->Assign(6, val_mgr->GetBool(opts->renewable()));
+	rv->Assign(6, val_mgr->Bool(opts->renewable()));
-	rv->Assign(7, val_mgr->GetBool(opts->opt_hardware_auth()));
+	rv->Assign(7, val_mgr->Bool(opts->opt_hardware_auth()));
-	rv->Assign(8, val_mgr->GetBool(opts->disable_transited_check()));
+	rv->Assign(8, val_mgr->Bool(opts->disable_transited_check()));
-	rv->Assign(9, val_mgr->GetBool(opts->renewable_ok()));
+	rv->Assign(9, val_mgr->Bool(opts->renewable_ok()));
-	rv->Assign(10, val_mgr->GetBool(opts->enc_tkt_in_skey()));
+	rv->Assign(10, val_mgr->Bool(opts->enc_tkt_in_skey()));
-	rv->Assign(11, val_mgr->GetBool(opts->renew()));
+	rv->Assign(11, val_mgr->Bool(opts->renew()));
-	rv->Assign(12, val_mgr->GetBool(opts->validate()));
+	rv->Assign(12, val_mgr->Bool(opts->validate()));
 
 	return rv;
 }
@@ -49,7 +49,7 @@ RecordVal* proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyzer bro_an
 				rv->Assign(4, GetStringFromPrincipalName(element->data()->principal()));
 				break;
 			case 2:
-				rv->Assign(5, bytestring_to_val(element->data()->realm()->encoding()->content()));
+				rv->Assign(5, to_stringval(element->data()->realm()->encoding()->content()));
 				break;
 			case 3:
 				rv->Assign(6, GetStringFromPrincipalName(element->data()->sname()));
@@ -139,19 +139,19 @@ bool proc_error_arguments(RecordVal* rv, const std::vector<KRB_ERROR_Arg*>* args
 				break;
 			// ctime/stime handled above
 			case 7:
-				rv->Assign(5, bytestring_to_val((*args)[i]->args()->crealm()->encoding()->content()));
+				rv->Assign(5, to_stringval((*args)[i]->args()->crealm()->encoding()->content()));
 				break;
 			case 8:
 				rv->Assign(6, GetStringFromPrincipalName((*args)[i]->args()->cname()));
 				break;
 			case 9:
-				rv->Assign(7, bytestring_to_val((*args)[i]->args()->realm()->encoding()->content()));
+				rv->Assign(7, to_stringval((*args)[i]->args()->realm()->encoding()->content()));
 				break;
 			case 10:
 				rv->Assign(8, GetStringFromPrincipalName((*args)[i]->args()->sname()));
 				break;
 			case 11:
-				rv->Assign(9, bytestring_to_val((*args)[i]->args()->e_text()->encoding()->content()));
+				rv->Assign(9, to_stringval((*args)[i]->args()->e_text()->encoding()->content()));
 				break;
 			case 12:
 				if ( error_code == KDC_ERR_PREAUTH_REQUIRED )
@@ -180,7 +180,7 @@ refine connection KRB_Conn += {
 				return false;
 
 			RecordVal* rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer());
-			BifEvent::generate_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), rv);
+			BifEvent::enqueue_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), {AdoptRef{}, rv});
 			return true;
 			}
 
@@ -190,7 +190,7 @@ refine connection KRB_Conn += {
 				return false;
 
 			RecordVal* rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer());
-			BifEvent::generate_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), rv);
+			BifEvent::enqueue_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), {AdoptRef{}, rv});
 			return true;
 			}
 
@@ -201,9 +201,9 @@ refine connection KRB_Conn += {
 		%{
 		bro_analyzer()->ProtocolConfirmation();
 		auto msg_type = binary_to_int64(${msg.msg_type.data.content});
-		auto make_arg = [this, msg]() -> RecordVal*
+		auto make_arg = [this, msg]() -> IntrusivePtr<RecordVal>
 			{
-			RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Response);
+			auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::KDC_Response);
 
 			rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT));
 			rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT));
@@ -211,7 +211,7 @@ refine connection KRB_Conn += {
 			if ( ${msg.padata.has_padata} )
 				rv->Assign(2, proc_padata(${msg.padata.padata.padata}, bro_analyzer(), false));
 
-			rv->Assign(3, bytestring_to_val(${msg.client_realm.encoding.content}));
+			rv->Assign(3, to_stringval(${msg.client_realm.encoding.content}));
 			rv->Assign(4, GetStringFromPrincipalName(${msg.client_name}));
 
 			rv->Assign(5, proc_ticket(${msg.ticket}));
@@ -223,7 +223,7 @@ refine connection KRB_Conn += {
 			if ( ! krb_as_response )
 				return false;
 
-			BifEvent::generate_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
+			BifEvent::enqueue_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
 			return true;
 			}
 
@@ -232,7 +232,7 @@ refine connection KRB_Conn += {
 			if ( ! krb_tgs_response )
 				return false;
 
-			BifEvent::generate_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
+			BifEvent::enqueue_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
 			return true;
 			}
 
@@ -244,11 +244,11 @@ refine connection KRB_Conn += {
 		bro_analyzer()->ProtocolConfirmation();
 		if ( krb_error )
 			{
-			RecordVal* rv = new RecordVal(BifType::Record::KRB::Error_Msg);
+			auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::Error_Msg);
-			proc_error_arguments(rv, ${msg.args1}, 0);
+			proc_error_arguments(rv.get(), ${msg.args1}, 0);
 			rv->Assign(4, asn1_integer_to_val(${msg.error_code}, TYPE_COUNT));
-			proc_error_arguments(rv, ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content}));
+			proc_error_arguments(rv.get(), ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content}));
-			BifEvent::generate_krb_error(bro_analyzer(), bro_analyzer()->Conn(), rv);
+			BifEvent::enqueue_krb_error(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv));
 			}
 		return true;
 		%}
@@ -258,16 +258,18 @@ refine connection KRB_Conn += {
 		bro_analyzer()->ProtocolConfirmation();
 		if ( krb_ap_request )
 			{
-			RecordVal* rv = new RecordVal(BifType::Record::KRB::AP_Options);
+			auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::AP_Options);
-			rv->Assign(0, val_mgr->GetBool(${msg.ap_options.use_session_key}));
+			rv->Assign(0, val_mgr->Bool(${msg.ap_options.use_session_key}));
-			rv->Assign(1, val_mgr->GetBool(${msg.ap_options.mutual_required}));
+			rv->Assign(1, val_mgr->Bool(${msg.ap_options.mutual_required}));
+
+			auto rvticket = proc_ticket(${msg.ticket});
+			auto authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
 
-			RecordVal* rvticket = proc_ticket(${msg.ticket});
-			StringVal* authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
 			if ( authenticationinfo )
 				rvticket->Assign(5, authenticationinfo);
-			BifEvent::generate_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
+
-						      rvticket, rv);
+			BifEvent::enqueue_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
+						      std::move(rvticket), std::move(rv));
 			}
 		return true;
 		%}
@@ -277,7 +279,7 @@ refine connection KRB_Conn += {
 		bro_analyzer()->ProtocolConfirmation();
 		if ( krb_ap_response )
 			{
-			BifEvent::generate_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn());
+			BifEvent::enqueue_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn());
 			}
 		return true;
 		%}
@@ -287,7 +289,7 @@ refine connection KRB_Conn += {
 		bro_analyzer()->ProtocolConfirmation();
 		if ( krb_safe )
 			{
-			RecordVal* rv = new RecordVal(BifType::Record::KRB::SAFE_Msg);
+			auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::SAFE_Msg);
 
 			rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT));
 			rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT));
@@ -320,7 +322,7 @@ refine connection KRB_Conn += {
 				switch ( ${msg.safe_body.args[i].seq_meta.index} )
 					{
 					case 0:
-						rv->Assign(3, bytestring_to_val(${msg.safe_body.args[i].args.user_data.encoding.content}));
+						rv->Assign(3, to_stringval(${msg.safe_body.args[i].args.user_data.encoding.content}));
 						break;
 					case 3:
 						rv->Assign(5, asn1_integer_to_val(${msg.safe_body.args[i].args.seq_number}, TYPE_COUNT));
@@ -335,7 +337,7 @@ refine connection KRB_Conn += {
 						break;
 					}
 				}
-			BifEvent::generate_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, rv);
+			BifEvent::enqueue_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, std::move(rv));
 			}
 		return true;
 		%}
@@ -345,7 +347,7 @@ refine connection KRB_Conn += {
 		bro_analyzer()->ProtocolConfirmation();
 		if ( krb_priv )
 			{
-			BifEvent::generate_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig});
+			BifEvent::enqueue_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig});
 			}
 		return true;
 		%}
@@ -355,7 +357,7 @@ refine connection KRB_Conn += {
 		bro_analyzer()->ProtocolConfirmation();
 		if ( krb_cred )
 			{
-			BifEvent::generate_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig},
+			BifEvent::enqueue_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig},
 						    		   proc_tickets(${msg.tickets}));
 			}
 		return true;

src/analyzer/protocol/krb/krb-asn1.pac

@@ -2,21 +2,20 @@
 %include ../asn1/asn1.pac
 
 %header{
-    Val* GetTimeFromAsn1(const KRB_Time* atime, int64 usecs);
+    IntrusivePtr<Val> GetTimeFromAsn1(const KRB_Time* atime, int64 usecs);
-    Val* GetTimeFromAsn1(StringVal* atime, int64 usecs);
+    IntrusivePtr<Val> GetTimeFromAsn1(StringVal* atime, int64 usecs);
 %}
 
 %code{
 
-Val* GetTimeFromAsn1(const KRB_Time* atime, int64 usecs)
+IntrusivePtr<Val> GetTimeFromAsn1(const KRB_Time* atime, int64 usecs)
 	{
-	StringVal* atime_bytestring = bytestring_to_val(atime->time());
+	auto atime_bytestring = to_stringval(atime->time());
-	Val* result = GetTimeFromAsn1(atime_bytestring, usecs);
+	auto result = GetTimeFromAsn1(atime_bytestring.get(), usecs);
-	Unref(atime_bytestring);
 	return result;
 	}
 
-Val* GetTimeFromAsn1(StringVal* atime, int64 usecs)
+IntrusivePtr<Val> GetTimeFromAsn1(StringVal* atime, int64 usecs)
 	{
 	time_t lResult = 0;
 
@@ -27,7 +26,7 @@ Val* GetTimeFromAsn1(StringVal* atime, int64 usecs)
 	char * pString = (char *) atime->Bytes();
 
 	if ( lTimeLength != 15 && lTimeLength != 17 )
-		return 0;
+		return nullptr;
 
 	if (lTimeLength == 17 )
 		pString = pString + 2;
@@ -52,7 +51,7 @@ Val* GetTimeFromAsn1(StringVal* atime, int64 usecs)
 	if ( !lResult )
 		lResult = 0;
 
-	return new Val(double(lResult + double(usecs/100000.0)), TYPE_TIME);
+	return make_intrusive<Val>(double(lResult + double(usecs/100000.0)), TYPE_TIME);
 	}
 
 %}

src/analyzer/protocol/krb/krb-padata.pac

@@ -37,24 +37,24 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
 			case PA_PW_SALT:
 				{
 				RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
-				type_val->Assign(0, val_mgr->GetCount(element->data_type()));
+				type_val->Assign(0, val_mgr->Count(element->data_type()));
-				type_val->Assign(1, bytestring_to_val(element->pa_data_element()->pa_pw_salt()->encoding()->content()));
+				type_val->Assign(1, to_stringval(element->pa_data_element()->pa_pw_salt()->encoding()->content()));
 				vv->Assign(vv->Size(), type_val);
 				break;
 				}
 			case PA_ENCTYPE_INFO:
 				{
 				RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
-				type_val->Assign(0, val_mgr->GetCount(element->data_type()));
+				type_val->Assign(0, val_mgr->Count(element->data_type()));
-				type_val->Assign(1, bytestring_to_val(element->pa_data_element()->pf_enctype_info()->salt()));
+				type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info()->salt()));
 				vv->Assign(vv->Size(), type_val);
 				break;
 				}
 			case PA_ENCTYPE_INFO2:
 				{
 				RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
-				type_val->Assign(0, val_mgr->GetCount(element->data_type()));
+				type_val->Assign(0, val_mgr->Count(element->data_type()));
-				type_val->Assign(1, bytestring_to_val(element->pa_data_element()->pf_enctype_info2()->salt()));
+				type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info2()->salt()));
 				vv->Assign(vv->Size(), type_val);
 				break;
 				}
@@ -111,8 +111,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
 				if ( ! is_error && element->pa_data_element()->unknown()->meta()->length() > 0 )
 					{
 					RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
-					type_val->Assign(0, val_mgr->GetCount(element->data_type()));
+					type_val->Assign(0, val_mgr->Count(element->data_type()));
-					type_val->Assign(1, bytestring_to_val(element->pa_data_element()->unknown()->content()));
+					type_val->Assign(1, to_stringval(element->pa_data_element()->unknown()->content()));
 					vv->Assign(vv->Size(), type_val);
 					}
 				break;

src/analyzer/protocol/krb/krb-types.pac

@@ -1,28 +1,28 @@
 # Fundamental KRB types
 
 %header{
-Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname);
+IntrusivePtr<Val> GetStringFromPrincipalName(const KRB_Principal_Name* pname);
 
 VectorVal* proc_cipher_list(const Array* list);
 
 VectorVal* proc_host_address_list(const BroAnalyzer a, const KRB_Host_Addresses* list);
 RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr);
 
-VectorVal* proc_tickets(const KRB_Ticket_Sequence* list);
+IntrusivePtr<VectorVal> proc_tickets(const KRB_Ticket_Sequence* list);
-RecordVal* proc_ticket(const KRB_Ticket* ticket);
+IntrusivePtr<RecordVal> proc_ticket(const KRB_Ticket* ticket);
 %}
 
 %code{
-Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname)
+IntrusivePtr<Val> GetStringFromPrincipalName(const KRB_Principal_Name* pname)
 {
 	if ( pname->data()->size() == 1 )
-		return bytestring_to_val(pname->data()[0][0]->encoding()->content());
+		return to_stringval(pname->data()[0][0]->encoding()->content());
 	if ( pname->data()->size() == 2 )
-		return new StringVal(fmt("%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin()));
+		return make_intrusive<StringVal>(fmt("%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin()));
 	if ( pname->data()->size() == 3 ) // if the name-string has a third value, this will just append it, else this will return unknown as the principal name
-		return new StringVal(fmt("%s/%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin(), (char *)pname->data()[0][2]->encoding()->content().begin()));
+		return make_intrusive<StringVal>(fmt("%s/%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin(), (char *)pname->data()[0][2]->encoding()->content().begin()));
 
-	return new StringVal("unknown");
+	return make_intrusive<StringVal>("unknown");
 }
 
 VectorVal* proc_cipher_list(const Array* list)
@@ -78,7 +78,7 @@ RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr)
 			}
 		case 20:
 			{
-			rv->Assign(1, bytestring_to_val(addr_bytes));
+			rv->Assign(1, to_stringval(addr_bytes));
 			return rv;
 			}
 		default:
@@ -87,14 +87,15 @@ RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr)
 
 	RecordVal* unk = new RecordVal(BifType::Record::KRB::Type_Value);
 	unk->Assign(0, asn1_integer_to_val(addr->addr_type(), TYPE_COUNT));
-	unk->Assign(1, bytestring_to_val(addr_bytes));
+	unk->Assign(1, to_stringval(addr_bytes));
 	rv->Assign(2, unk);
 	return rv;
 }
 
-VectorVal* proc_tickets(const KRB_Ticket_Sequence* list)
+IntrusivePtr<VectorVal> proc_tickets(const KRB_Ticket_Sequence* list)
 	{
-	VectorVal* tickets = new VectorVal(internal_type("KRB::Ticket_Vector")->AsVectorType());
+	auto tickets = make_intrusive<VectorVal>(internal_type("KRB::Ticket_Vector")->AsVectorType());
+
 	for ( uint i = 0; i < list->tickets()->size(); ++i )
 		{
 		KRB_Ticket* element = (*list->tickets())[i];
@@ -104,15 +105,15 @@ VectorVal* proc_tickets(const KRB_Ticket_Sequence* list)
 	return tickets;
 	}
 
-RecordVal* proc_ticket(const KRB_Ticket* ticket)
+IntrusivePtr<RecordVal> proc_ticket(const KRB_Ticket* ticket)
 	{
-	RecordVal* rv = new RecordVal(BifType::Record::KRB::Ticket);
+	auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::Ticket);
 
 	rv->Assign(0, asn1_integer_to_val(ticket->tkt_vno()->data(), TYPE_COUNT));
-	rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content()));
+	rv->Assign(1, to_stringval(ticket->realm()->data()->content()));
 	rv->Assign(2, GetStringFromPrincipalName(ticket->sname()));
 	rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT));
-	rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext()->encoding()->content()));
+	rv->Assign(4, to_stringval(ticket->enc_part()->data()->ciphertext()->encoding()->content()));
 
 	return rv;
 	}

src/analyzer/protocol/login/Login.cc

@@ -290,7 +290,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
 	else if ( IsSkipAuthentication(line) )
 		{
 		if ( authentication_skipped )
-			EnqueueConnEvent(authentication_skipped, IntrusivePtr{AdoptRef{}, BuildConnVal()});
+			EnqueueConnEvent(authentication_skipped, ConnVal());
 
 		state = LOGIN_STATE_SKIP;
 		SetSkip(true);
@@ -332,19 +332,19 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
 
 		else if ( login_terminal && streq(name, "TERM") )
 			EnqueueConnEvent(login_terminal,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
 				make_intrusive<StringVal>(val)
 			);
 
 		else if ( login_display && streq(name, "DISPLAY") )
 			EnqueueConnEvent(login_display,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
 				make_intrusive<StringVal>(val)
 			);
 
 		else if ( login_prompt && streq(name, "TTYPROMPT") )
 			EnqueueConnEvent(login_prompt,
-				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				ConnVal(),
 				make_intrusive<StringVal>(val)
 			);
 		}
@@ -420,10 +420,10 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
 				PopUserTextVal() : new StringVal("<none>");
 
 	EnqueueConnEvent(f,
-		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		ConnVal(),
 		IntrusivePtr{NewRef{}, username},
 		client_name ? IntrusivePtr{NewRef{}, client_name}
-		            : IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
+		            : val_mgr->EmptyString(),
 		IntrusivePtr{AdoptRef{}, password},
 		make_intrusive<StringVal>(line)
 	);
@@ -443,7 +443,7 @@ void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
 		return;
 
 	EnqueueConnEvent(f,
-		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		ConnVal(),
 		make_intrusive<StringVal>(line)
 	);
 	}
@@ -455,7 +455,7 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
 
 	if ( login_confused )
 		EnqueueConnEvent(login_confused,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			make_intrusive<StringVal>(msg),
 			make_intrusive<StringVal>(line)
 		);
@@ -479,7 +479,7 @@ void Login_Analyzer::ConfusionText(const char* line)
 	{
 	if ( login_confused_text )
 		EnqueueConnEvent(login_confused_text,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			make_intrusive<StringVal>(line)
 		);
 	}
@@ -593,7 +593,7 @@ Val* Login_Analyzer::PopUserTextVal()
 	if ( s )
 		return new StringVal(new BroString(true, byte_vec(s), strlen(s)));
 	else
-		return val_mgr->GetEmptyString();
+		return val_mgr->EmptyString()->Ref();
 	}
 
 bool Login_Analyzer::MatchesTypeahead(const char* line) const

src/analyzer/protocol/login/NVT.cc

@@ -460,7 +460,7 @@ void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
 	{
 	if ( login_terminal )
 		EnqueueConnEvent(login_terminal,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			make_intrusive<StringVal>(new BroString(terminal, len, false))
 		);
 	}

src/analyzer/protocol/login/RSH.cc

@@ -172,7 +172,7 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	vl.reserve(4 + orig);
 	const char* line = (const char*) data;
 	line = skip_whitespace(line);
-	vl.emplace_back(AdoptRef{}, BuildConnVal());
+	vl.emplace_back(ConnVal());
 
 	if ( client_name )
 		vl.emplace_back(NewRef{}, client_name);
@@ -190,9 +190,9 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		{
 		if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
 			// First input
-			vl.emplace_back(AdoptRef{}, val_mgr->GetTrue());
+			vl.emplace_back(val_mgr->True());
 		else
-			vl.emplace_back(AdoptRef{}, val_mgr->GetFalse());
+			vl.emplace_back(val_mgr->False());
 
 		EnqueueConnEvent(rsh_request, std::move(vl));
 		}

src/analyzer/protocol/login/Rlogin.cc

@@ -245,7 +245,7 @@ void Rlogin_Analyzer::TerminalType(const char* s)
 	{
 	if ( login_terminal )
 		EnqueueConnEvent(login_terminal,
-			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			ConnVal(),
 			make_intrusive<StringVal>(s)
 		);
 	}

src/analyzer/protocol/login/functions.bif

@@ -28,13 +28,13 @@ function get_login_state%(cid: conn_id%): count
 	%{
 	Connection* c = sessions->FindConnection(cid);
 	if ( ! c )
-		return val_mgr->GetFalse();
+		return val_mgr->False();
 
 	analyzer::Analyzer* la = c->FindAnalyzer("Login");
 	if ( ! la )
-		return val_mgr->GetFalse();
+		return val_mgr->False();
 
-	return val_mgr->GetCount(int(static_cast<analyzer::login::Login_Analyzer*>(la)->LoginState()));
+	return val_mgr->Count(int(static_cast<analyzer::login::Login_Analyzer*>(la)->LoginState()));
 	%}
 
 ## Sets the login state of a connection with a login analyzer.
@@ -52,12 +52,12 @@ function set_login_state%(cid: conn_id, new_state: count%): bool
 	%{
 	Connection* c = sessions->FindConnection(cid);
 	if ( ! c )
-		return val_mgr->GetFalse();
+		return val_mgr->False();
 
 	analyzer::Analyzer* la = c->FindAnalyzer("Login");
 	if ( ! la )
-		return val_mgr->GetFalse();
+		return val_mgr->False();
 
 	static_cast<analyzer::login::Login_Analyzer*>(la)->SetLoginState(analyzer::login::login_state(new_state));
-	return val_mgr->GetTrue();
+	return val_mgr->True();
 	%}

src/analyzer/protocol/mime/MIME.cc

@@ -1292,8 +1292,9 @@ void MIME_Entity::DebugPrintHeaders()
 RecordVal* MIME_Message::BuildHeaderVal(MIME_Header* h)
 	{
 	RecordVal* header_record = new RecordVal(mime_header_rec);
-	header_record->Assign(0, new_string_val(h->get_name())->ToUpper());
+	header_record->Assign(0, new_string_val(h->get_name()));
-	header_record->Assign(1, new_string_val(h->get_value()));
+	header_record->Assign(1, new_string_val(h->get_name())->ToUpper());
+	header_record->Assign(2, new_string_val(h->get_value()));
 	return header_record;
 	}
 
@@ -1303,14 +1304,12 @@ TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist)
 
 	for ( unsigned int i = 0; i < hlist.size(); ++i )
 		{
-		Val* index = val_mgr->GetCount(i+1);	// index starting from 1
+		auto index = val_mgr->Count(i + 1);	// index starting from 1
 
 		MIME_Header* h = hlist[i];
 		RecordVal* header_record = BuildHeaderVal(h);
 
-		t->Assign(index, header_record);
+		t->Assign(index.get(), header_record);
-
-		Unref(index);
 		}
 
 	return t;
@@ -1366,8 +1365,8 @@ void MIME_Mail::Done()
 		md5_hash = nullptr;
 
 		analyzer->EnqueueConnEvent(mime_content_hash,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(content_hash_length)},
+			val_mgr->Count(content_hash_length),
 			make_intrusive<StringVal>(new BroString(true, digest, 16))
 		);
 		}
@@ -1393,7 +1392,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
 	cur_entity_id.clear();
 
 	if ( mime_begin_entity )
-		analyzer->EnqueueConnEvent(mime_begin_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
+		analyzer->EnqueueConnEvent(mime_begin_entity, analyzer->ConnVal());
 
 	buffer_start = data_start = 0;
 	ASSERT(entity_content.size() == 0);
@@ -1406,8 +1405,8 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 		BroString* s = concatenate(entity_content);
 
 		analyzer->EnqueueConnEvent(mime_entity_data,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
+			val_mgr->Count(s->Len()),
 			make_intrusive<StringVal>(s)
 		);
 
@@ -1418,7 +1417,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 		}
 
 	if ( mime_end_entity )
-		analyzer->EnqueueConnEvent(mime_end_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
+		analyzer->EnqueueConnEvent(mime_end_entity, analyzer->ConnVal());
 
 	file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
 	cur_entity_id.clear();
@@ -1428,7 +1427,7 @@ void MIME_Mail::SubmitHeader(MIME_Header* h)
 	{
 	if ( mime_one_header )
 		analyzer->EnqueueConnEvent(mime_one_header,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, BuildHeaderVal(h)}
 		);
 	}
@@ -1437,7 +1436,7 @@ void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
 	{
 	if ( mime_all_headers )
 		analyzer->EnqueueConnEvent(mime_all_headers,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
 		);
 	}
@@ -1473,8 +1472,8 @@ void MIME_Mail::SubmitData(int len, const char* buf)
 		int data_len = (buf + len) - data;
 
 		analyzer->EnqueueConnEvent(mime_segment_data,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_len)},
+			val_mgr->Count(data_len),
 			make_intrusive<StringVal>(data_len, data)
 		);
 		}
@@ -1520,8 +1519,8 @@ void MIME_Mail::SubmitAllData()
 		delete_strings(all_content);
 
 		analyzer->EnqueueConnEvent(mime_all_data,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
-			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
+			val_mgr->Count(s->Len()),
 			make_intrusive<StringVal>(s)
 		);
 		}
@@ -1548,7 +1547,7 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
 
 	if ( mime_event )
 		analyzer->EnqueueConnEvent(mime_event,
-			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			analyzer->ConnVal(),
 			make_intrusive<StringVal>(category),
 			make_intrusive<StringVal>(detail)
 		);

src/analyzer/protocol/modbus/modbus-analyzer.pac

@@ -8,39 +8,39 @@
 #
 
 %header{
-	VectorVal* bytestring_to_coils(const bytestring& coils, uint quantity);
+	IntrusivePtr<VectorVal> bytestring_to_coils(const bytestring& coils, uint quantity);
-	RecordVal* HeaderToBro(ModbusTCP_TransportHeader *header);
+	IntrusivePtr<RecordVal> HeaderToVal(ModbusTCP_TransportHeader* header);
-	VectorVal* create_vector_of_count();
+	IntrusivePtr<VectorVal> create_vector_of_count();
 	%}
 
 %code{
-	VectorVal* bytestring_to_coils(const bytestring& coils, uint quantity)
+	IntrusivePtr<VectorVal> bytestring_to_coils(const bytestring& coils, uint quantity)
 		{
-		VectorVal* modbus_coils = new VectorVal(BifType::Vector::ModbusCoils);
+		auto modbus_coils = make_intrusive<VectorVal>(BifType::Vector::ModbusCoils);
+
 		for ( uint i = 0; i < quantity; i++ )
 			{
 			char currentCoil = (coils[i/8] >> (i % 8)) % 2;
-			modbus_coils->Assign(i, val_mgr->GetBool(currentCoil));
+			modbus_coils->Assign(i, val_mgr->Bool(currentCoil));
 			}
 
 		return modbus_coils;
 		}
 
-	RecordVal* HeaderToBro(ModbusTCP_TransportHeader *header)
+	IntrusivePtr<RecordVal> HeaderToVal(ModbusTCP_TransportHeader* header)
 		{
-		RecordVal* modbus_header = new RecordVal(BifType::Record::ModbusHeaders);
+		auto modbus_header = make_intrusive<RecordVal>(BifType::Record::ModbusHeaders);
-		modbus_header->Assign(0, val_mgr->GetCount(header->tid()));
+		modbus_header->Assign(0, val_mgr->Count(header->tid()));
-		modbus_header->Assign(1, val_mgr->GetCount(header->pid()));
+		modbus_header->Assign(1, val_mgr->Count(header->pid()));
-		modbus_header->Assign(2, val_mgr->GetCount(header->uid()));
+		modbus_header->Assign(2, val_mgr->Count(header->uid()));
-		modbus_header->Assign(3, val_mgr->GetCount(header->fc()));
+		modbus_header->Assign(3, val_mgr->Count(header->fc()));
 		return modbus_header;
 		}
 
-	VectorVal* create_vector_of_count()
+	IntrusivePtr<VectorVal> create_vector_of_count()
 		{
-		VectorType* vt = new VectorType(base_type(TYPE_COUNT));
+		auto vt = make_intrusive<VectorType>(base_type(TYPE_COUNT));
-		VectorVal* vv = new VectorVal(vt);
+		auto vv = make_intrusive<VectorVal>(vt.get());
-		Unref(vt);
 		return vv;
 		}
 
@@ -88,9 +88,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_message )
 			{
-			BifEvent::generate_modbus_message(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_message(connection()->bro_analyzer(),
 			                                 connection()->bro_analyzer()->Conn(),
-			                                  HeaderToBro(header),
+			                                 HeaderToVal(header),
 			                                 is_orig());
 			}
 
@@ -117,9 +117,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_exception )
 			{
-			BifEvent::generate_modbus_exception(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_exception(connection()->bro_analyzer(),
 			                                   connection()->bro_analyzer()->Conn(),
-			                                    HeaderToBro(header),
+			                                   HeaderToVal(header),
 			                                   ${message.code});
 			}
 
@@ -131,9 +131,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_read_coils_request )
 			{
-			BifEvent::generate_modbus_read_coils_request(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_coils_request(connection()->bro_analyzer(),
 			                                            connection()->bro_analyzer()->Conn(),
-			                                             HeaderToBro(header),
+			                                            HeaderToVal(header),
 			                                            ${message.start_address},
 			                                            ${message.quantity});
 			}
@@ -146,9 +146,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_read_coils_response )
 			{
-			BifEvent::generate_modbus_read_coils_response(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_coils_response(connection()->bro_analyzer(),
 			                                             connection()->bro_analyzer()->Conn(),
-			                                              HeaderToBro(header),
+			                                             HeaderToVal(header),
 			                                             bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
 			}
 		return true;
@@ -159,9 +159,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_read_discrete_inputs_request )
 			{
-			BifEvent::generate_modbus_read_discrete_inputs_request(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_discrete_inputs_request(connection()->bro_analyzer(),
 			                                                      connection()->bro_analyzer()->Conn(),
-			                                                       HeaderToBro(header),
+			                                                      HeaderToVal(header),
 			                                                      ${message.start_address}, ${message.quantity});
 			}
 
@@ -173,9 +173,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_read_discrete_inputs_response )
 			{
-			BifEvent::generate_modbus_read_discrete_inputs_response(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_discrete_inputs_response(connection()->bro_analyzer(),
 			                                                       connection()->bro_analyzer()->Conn(),
-			                                                        HeaderToBro(header),
+			                                                       HeaderToVal(header),
 			                                                       bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
 			}
 
@@ -188,9 +188,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_read_holding_registers_request )
 			{
-			BifEvent::generate_modbus_read_holding_registers_request(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_holding_registers_request(connection()->bro_analyzer(),
 			                                                        connection()->bro_analyzer()->Conn(),
-			                                                         HeaderToBro(header),
+			                                                        HeaderToVal(header),
 			                                                        ${message.start_address}, ${message.quantity});
 			}
 
@@ -209,18 +209,18 @@ refine flow ModbusTCP_Flow += {
 
 		if ( ::modbus_read_holding_registers_response )
 			{
+			auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
 
-			VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
 			for ( unsigned int i=0; i < ${message.registers}->size(); ++i )
 				{
-				Val* r = val_mgr->GetCount(${message.registers[i]});
+				auto r = val_mgr->Count(${message.registers[i]});
 				t->Assign(i, r);
 				}
 
-			BifEvent::generate_modbus_read_holding_registers_response(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_holding_registers_response(connection()->bro_analyzer(),
 			                                                         connection()->bro_analyzer()->Conn(),
-			                                                          HeaderToBro(header),
+			                                                         HeaderToVal(header),
-			                                                          t);
+			                                                         std::move(t));
 			}
 
 		return true;
@@ -232,9 +232,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_read_input_registers_request )
 			{
-			BifEvent::generate_modbus_read_input_registers_request(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_input_registers_request(connection()->bro_analyzer(),
 			                                                      connection()->bro_analyzer()->Conn(),
-			                                                       HeaderToBro(header),
+			                                                      HeaderToVal(header),
 			                                                      ${message.start_address}, ${message.quantity});
 			}
 
@@ -253,17 +253,18 @@ refine flow ModbusTCP_Flow += {
 
 		if ( ::modbus_read_input_registers_response )
 			{
-			VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
+			auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
+
 			for ( unsigned int i=0; i < (${message.registers})->size(); ++i )
 				{
-				Val* r = val_mgr->GetCount(${message.registers[i]});
+				auto r = val_mgr->Count(${message.registers[i]});
 				t->Assign(i, r);
 				}
 
-			BifEvent::generate_modbus_read_input_registers_response(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_input_registers_response(connection()->bro_analyzer(),
 			                                                       connection()->bro_analyzer()->Conn(),
-			                                                        HeaderToBro(header),
+			                                                       HeaderToVal(header),
-			                                                        t);
+			                                                       std::move(t));
 			}
 
 		return true;
@@ -287,9 +288,9 @@ refine flow ModbusTCP_Flow += {
 				return false;
 				}
 
-			BifEvent::generate_modbus_write_single_coil_request(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_write_single_coil_request(connection()->bro_analyzer(),
 			                                                   connection()->bro_analyzer()->Conn(),
-			                                                    HeaderToBro(header),
+			                                                   HeaderToVal(header),
 			                                                   ${message.address},
 			                                                   val);
 			}
@@ -314,9 +315,9 @@ refine flow ModbusTCP_Flow += {
 				return false;
 				}
 
-			BifEvent::generate_modbus_write_single_coil_response(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_write_single_coil_response(connection()->bro_analyzer(),
 			                                                    connection()->bro_analyzer()->Conn(),
-			                                                     HeaderToBro(header),
+			                                                    HeaderToVal(header),
 			                                                    ${message.address},
 			                                                    val);
 			}
@@ -330,9 +331,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_write_single_register_request )
 			{
-			BifEvent::generate_modbus_write_single_register_request(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_write_single_register_request(connection()->bro_analyzer(),
 			                                                       connection()->bro_analyzer()->Conn(),
-			                                                        HeaderToBro(header),
+			                                                       HeaderToVal(header),
 			                                                       ${message.address}, ${message.value});
 			}
 
@@ -344,9 +345,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_write_single_register_response )
 			{
-			BifEvent::generate_modbus_write_single_register_response(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_write_single_register_response(connection()->bro_analyzer(),
 			                                                        connection()->bro_analyzer()->Conn(),
-			                                                         HeaderToBro(header),
+			                                                        HeaderToVal(header),
 			                                                        ${message.address}, ${message.value});
 			}
 
@@ -359,9 +360,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_write_multiple_coils_request )
 			{
-			BifEvent::generate_modbus_write_multiple_coils_request(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_write_multiple_coils_request(connection()->bro_analyzer(),
 			                                                      connection()->bro_analyzer()->Conn(),
-			                                                       HeaderToBro(header),
+			                                                      HeaderToVal(header),
 			                                                      ${message.start_address},
 			                                                      bytestring_to_coils(${message.coils}, ${message.quantity}));
 			}
@@ -374,9 +375,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_write_multiple_coils_response )
 			{
-			BifEvent::generate_modbus_write_multiple_coils_response(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_write_multiple_coils_response(connection()->bro_analyzer(),
 			                                                       connection()->bro_analyzer()->Conn(),
-			                                                        HeaderToBro(header),
+			                                                       HeaderToVal(header),
 			                                                       ${message.start_address}, ${message.quantity});
 			}
 
@@ -396,17 +397,18 @@ refine flow ModbusTCP_Flow += {
 
 		if ( ::modbus_write_multiple_registers_request )
 			{
-			VectorVal * t = new VectorVal(BifType::Vector::ModbusRegisters);
+			auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
+
 			for ( unsigned int i = 0; i < (${message.registers}->size()); ++i )
 				{
-				Val* r = val_mgr->GetCount(${message.registers[i]});
+				auto r = val_mgr->Count(${message.registers[i]});
 				t->Assign(i, r);
 				}
 
-				BifEvent::generate_modbus_write_multiple_registers_request(connection()->bro_analyzer(),
+				BifEvent::enqueue_modbus_write_multiple_registers_request(connection()->bro_analyzer(),
 				                                                          connection()->bro_analyzer()->Conn(),
-				                                                           HeaderToBro(header),
+				                                                          HeaderToVal(header),
-				                                                           ${message.start_address}, t);
+				                                                          ${message.start_address}, std::move(t));
 			}
 
 		return true;
@@ -417,9 +419,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_write_multiple_registers_response )
 			{
-			BifEvent::generate_modbus_write_multiple_registers_response(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_write_multiple_registers_response(connection()->bro_analyzer(),
 			                                                           connection()->bro_analyzer()->Conn(),
-			                                                            HeaderToBro(header),
+			                                                           HeaderToVal(header),
 			                                                           ${message.start_address}, ${message.quantity});
 			}
 
@@ -432,22 +434,22 @@ refine flow ModbusTCP_Flow += {
 		if ( ::modbus_read_file_record_request )
 			{
 			//TODO: this need to be a vector of some Reference Request record type
-			//VectorVal *t = create_vector_of_count();
+			//auto t = create_vector_of_count();
 			//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
 			//	{
-			//	Val* r = val_mgr->GetCount((${message.references[i].ref_type}));
+			//	auto r = val_mgr->Count((${message.references[i].ref_type}));
 			//	t->Assign(i, r);
 			//
-			//	Val* k = val_mgr->GetCount((${message.references[i].file_num}));
+			//	auto k = val_mgr->Count((${message.references[i].file_num}));
 			//	t->Assign(i, k);
 			//
-			//	Val* l = val_mgr->GetCount((${message.references[i].record_num}));
+			//	auto l = val_mgr->Count((${message.references[i].record_num}));
 			//	t->Assign(i, l);
 			//	}
 
-			BifEvent::generate_modbus_read_file_record_request(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_file_record_request(connection()->bro_analyzer(),
 			                                                  connection()->bro_analyzer()->Conn(),
-			                                                   HeaderToBro(header));
+			                                                  HeaderToVal(header));
 			}
 
 		return true;
@@ -458,17 +460,17 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_read_file_record_response )
 			{
-			//VectorVal *t = create_vector_of_count();
+			//auto t = create_vector_of_count();
 			//for ( unsigned int i = 0; i < ${message.references}->size(); ++i )
 			//	{
 			//	//TODO: work the reference type in here somewhere
-			//	Val* r = val_mgr->GetCount(${message.references[i].record_data}));
+			//	auto r = val_mgr->Count(${message.references[i].record_data}));
 			//	t->Assign(i, r);
 			//	}
 
-			BifEvent::generate_modbus_read_file_record_response(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_file_record_response(connection()->bro_analyzer(),
 			                                                   connection()->bro_analyzer()->Conn(),
-			                                                    HeaderToBro(header));
+			                                                   HeaderToVal(header));
 			}
 
 		return true;
@@ -479,28 +481,28 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_write_file_record_request )
 			{
-			//VectorVal* t = create_vector_of_count();
+			//auto t = create_vector_of_count();
 			//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
 			//	{
-			//	Val* r = val_mgr->GetCount((${message.references[i].ref_type}));
+			//	auto r = val_mgr->Count((${message.references[i].ref_type}));
 			//	t->Assign(i, r);
 			//
-			//	Val* k = val_mgr->GetCount((${message.references[i].file_num}));
+			//	auto k = val_mgr->Count((${message.references[i].file_num}));
 			//	t->Assign(i, k);
 			//
-			//	Val* n = val_mgr->GetCount((${message.references[i].record_num}));
+			//	auto n = val_mgr->Count((${message.references[i].record_num}));
 			//	t->Assign(i, n);
 			//
 			//	for ( unsigned int j = 0; j < (${message.references[i].register_value}->size()); ++j )
 			//		{
-			//		k = val_mgr->GetCount((${message.references[i].register_value[j]}));
+			//		k = val_mgr->Count((${message.references[i].register_value[j]}));
 			//		t->Assign(i, k);
 			//		}
 			//	}
 
-			BifEvent::generate_modbus_write_file_record_request(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_write_file_record_request(connection()->bro_analyzer(),
 			                                                   connection()->bro_analyzer()->Conn(),
-			                                                    HeaderToBro(header));
+			                                                   HeaderToVal(header));
 			}
 
 		return true;
@@ -512,27 +514,27 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_write_file_record_response )
 			{
-			//VectorVal* t = create_vector_of_count();
+			//auto t = create_vector_of_count();
 			//for ( unsigned int i = 0; i < (${messages.references}->size()); ++i )
 			//	{
-			//	Val* r = val_mgr->GetCount((${message.references[i].ref_type}));
+			//	auto r = val_mgr->Count((${message.references[i].ref_type}));
 			//	t->Assign(i, r);
 			//
-			//	Val* f = val_mgr->GetCount((${message.references[i].file_num}));
+			//	auto f = val_mgr->Count((${message.references[i].file_num}));
 			//	t->Assign(i, f);
 			//
-			//	Val* rn = val_mgr->GetCount((${message.references[i].record_num}));
+			//	auto rn = val_mgr->Count((${message.references[i].record_num}));
 			//	t->Assign(i, rn);
 			//
 			//	for ( unsigned int j = 0; j<(${message.references[i].register_value}->size()); ++j )
 			//		{
-			//		Val* k = val_mgr->GetCount((${message.references[i].register_value[j]}));
+			//		auto k = val_mgr->Count((${message.references[i].register_value[j]}));
 			//		t->Assign(i, k);
 			//		}
 
-			BifEvent::generate_modbus_write_file_record_response(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_write_file_record_response(connection()->bro_analyzer(),
 			                                                    connection()->bro_analyzer()->Conn(),
-			                                                     HeaderToBro(header));
+			                                                    HeaderToVal(header));
 			}
 
 		return true;
@@ -543,9 +545,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_mask_write_register_request )
 			{
-			BifEvent::generate_modbus_mask_write_register_request(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_mask_write_register_request(connection()->bro_analyzer(),
 			                                                     connection()->bro_analyzer()->Conn(),
-			                                                      HeaderToBro(header),
+			                                                     HeaderToVal(header),
 			                                                     ${message.address},
 			                                                     ${message.and_mask}, ${message.or_mask});
 			}
@@ -558,9 +560,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_mask_write_register_response )
 			{
-			BifEvent::generate_modbus_mask_write_register_response(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_mask_write_register_response(connection()->bro_analyzer(),
 			                                                      connection()->bro_analyzer()->Conn(),
-			                                                       HeaderToBro(header),
+			                                                      HeaderToVal(header),
 			                                                      ${message.address},
 			                                                      ${message.and_mask}, ${message.or_mask});
 			}
@@ -580,20 +582,21 @@ refine flow ModbusTCP_Flow += {
 
 		if ( ::modbus_read_write_multiple_registers_request )
 			{
-			VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
+			auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
+
 			for ( unsigned int i = 0; i < ${message.write_register_values}->size(); ++i )
 				{
-				Val* r = val_mgr->GetCount(${message.write_register_values[i]});
+				auto r = val_mgr->Count(${message.write_register_values[i]});
 				t->Assign(i, r);
 				}
 
-			BifEvent::generate_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(),
 			                                                               connection()->bro_analyzer()->Conn(),
-			                                                                HeaderToBro(header),
+			                                                               HeaderToVal(header),
 			                                                               ${message.read_start_address},
 			                                                               ${message.read_quantity},
 			                                                               ${message.write_start_address},
-			                                                                t);
+			                                                               std::move(t));
 			}
 
 		return true;
@@ -611,17 +614,18 @@ refine flow ModbusTCP_Flow += {
 
 		if ( ::modbus_read_write_multiple_registers_response )
 			{
-			VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
+			auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
+
 			for ( unsigned int i = 0; i < ${message.registers}->size(); ++i )
 				{
-				Val* r = val_mgr->GetCount(${message.registers[i]});
+				auto r = val_mgr->Count(${message.registers[i]});
 				t->Assign(i, r);
 				}
 
-			BifEvent::generate_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(),
 			                                                                connection()->bro_analyzer()->Conn(),
-			                                                                 HeaderToBro(header),
+			                                                                HeaderToVal(header),
-			                                                                 t);
+			                                                                std::move(t));
 			}
 
 		return true;
@@ -632,9 +636,9 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_read_fifo_queue_request )
 			{
-			BifEvent::generate_modbus_read_fifo_queue_request(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_fifo_queue_request(connection()->bro_analyzer(),
 			                                                 connection()->bro_analyzer()->Conn(),
-			                                                  HeaderToBro(header),
+			                                                 HeaderToVal(header),
 			                                                 ${message.start_address});
 			}
 
@@ -654,17 +658,18 @@ refine flow ModbusTCP_Flow += {
 
 		if ( ::modbus_read_fifo_queue_response )
 			{
-			VectorVal* t = create_vector_of_count();
+			auto t = create_vector_of_count();
+
 			for ( unsigned int i = 0; i < (${message.register_data})->size(); ++i )
 				{
-				Val* r = val_mgr->GetCount(${message.register_data[i]});
+				auto r = val_mgr->Count(${message.register_data[i]});
 				t->Assign(i, r);
 				}
 
-			BifEvent::generate_modbus_read_fifo_queue_response(connection()->bro_analyzer(),
+			BifEvent::enqueue_modbus_read_fifo_queue_response(connection()->bro_analyzer(),
 			                                                  connection()->bro_analyzer()->Conn(),
-			                                                   HeaderToBro(header),
+			                                                  HeaderToVal(header),
-			                                                   t);
+			                                                  std::move(t));
 			}
 
 		return true;

src/analyzer/protocol/mqtt/commands/connack.pac

@@ -15,12 +15,12 @@ refine flow MQTT_Flow += {
 		%{
 		if ( mqtt_connack )
 			{
-			auto m = new RecordVal(BifType::Record::MQTT::ConnectAckMsg);
+			auto m = make_intrusive<RecordVal>(BifType::Record::MQTT::ConnectAckMsg);
-			m->Assign(0, val_mgr->GetCount(${msg.return_code}));
+			m->Assign(0, val_mgr->Count(${msg.return_code}));
-			m->Assign(1, val_mgr->GetBool(${msg.session_present}));
+			m->Assign(1, val_mgr->Bool(${msg.session_present}));
-			BifEvent::generate_mqtt_connack(connection()->bro_analyzer(),
+			BifEvent::enqueue_mqtt_connack(connection()->bro_analyzer(),
 			                               connection()->bro_analyzer()->Conn(),
-			                                m);
+			                               std::move(m));
 			}
 
 		return true;