Merge remote-tracking branch 'origin/topic/johanna/netcontrol-improvements'

Great work, and great documentation! I'm getting one test failure with scripts.base.frameworks.netcontrol.catch-and-release-cluster Going ahead and commiting, Jenkins will show the details I assume. BIT-1584 #merged * origin/topic/johanna/netcontrol-improvements: SMTP does not need to pull in the notice framework. Write NetControl framework documentation. Use NetControl for ACTION_DROP of notice framework. NetControl: slightly update catch and release logging NetControl: fix several small logging issues NetControl: more catch and release logging and cluster fix NetControl: rewrite catch and release and small fixes. NetControl: find_rules_subnet works in cluster mode NetControl: fix acld whitelist command NetControl: add rule exists as state besides added and failure. NetControl: Suppress duplicate "plugin activated" messages. NetControl: make new broker plugin options accessible NetControl: add predicates to broker plugin
2025-10-04 23:58:20 +00:00 · 2016-06-30 17:27:54 -07:00 · 2016-06-30 17:27:54 -07:00 · 09ea84bb6e
commit 09ea84bb6e
parent 6e483c1f4f 743d4672bd
115 changed files with 3072 additions and 301 deletions
--- a/31
+++ b/31
@ -1,4 +1,35 @@
 2.4-676 | 2016-06-30 17:27:54 -0700
  * A larger series of NetControl updates. (Johanna Amann)
        * Add NetControl framework documentation to the Bro manual.
        * Use NetControl for ACTION_DROP of notice framework. So far,
          this action did nothing by default.
        * Rewrite of catch-and-release.
        * Fix several small logging issues.
        * find_rules_subnet() now works in cluster mode. This
          introduces two new events, NetControl::rule_new and
          NetControl::rule_destroyed, which are raised when rules are
          first added and then deleted from the internal state
          tracking.
        * Fix acld whitelist command.
        * Add rule existance as a state besides added and failure.
        * Suppress duplicate "plugin activated" messages.
        * Make new Broker plugin options accessible.
        * Add predicates to Broker plugin.
  * Tweak SMTP scripts to not to pull in the notice framework.
 2.4-658 | 2016-06-30 16:55:32 -0700
  * Fix a number of documentation building errors. (Johanna Amann)
--- a/2
+++ b/2
@ -1 +1 @@
-2.4-658
+2.4-676
--- a/doc/frameworks/index.rst
+++ b/doc/frameworks/index.rst
@ -11,6 +11,7 @@ Frameworks
   input
   intel
   logging
   netcontrol
   notice
   signatures
   sumstats
--- a/doc/frameworks/input.rst
+++ b/doc/frameworks/input.rst
@ -7,7 +7,7 @@ Input Framework
 .. rst-class:: opening
-   Bro now features a flexible input framework that allows users
+   Bro features a flexible input framework that allows users
   to import data into Bro. Data is either read into Bro tables or
   converted to events which can then be handled by scripts.
   This document gives an overview of how to use the input framework
--- a/doc/frameworks/netcontrol-1-drop-with-debug.bro
+++ b/doc/frameworks/netcontrol-1-drop-with-debug.bro
@ -0,0 +1,10 @@
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	NetControl::drop_connection(c$id, 20 secs);
 	}
--- a/doc/frameworks/netcontrol-10-use-skeleton.bro
+++ b/doc/frameworks/netcontrol-10-use-skeleton.bro
@ -0,0 +1,10 @@
 event NetControl::init()
 	{
 	local skeleton_plugin = NetControl::create_skeleton("");
 	NetControl::activate(skeleton_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	NetControl::drop_connection(c$id, 20 secs);
 	}
--- a/doc/frameworks/netcontrol-2-ssh-guesser.bro
+++ b/doc/frameworks/netcontrol-2-ssh-guesser.bro
@ -0,0 +1,16 @@
@load protocols/ssh/detect-bruteforcing
 redef SSH::password_guesses_limit=10;
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 hook Notice::policy(n: Notice::Info)
 	{
 	if ( n$note == SSH::Password_Guessing )
 		NetControl::drop_address(n$src, 60min);
 	}
--- a/doc/frameworks/netcontrol-3-ssh-guesser.bro
+++ b/doc/frameworks/netcontrol-3-ssh-guesser.bro
@ -0,0 +1,16 @@
@load protocols/ssh/detect-bruteforcing
 redef SSH::password_guesses_limit=10;
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 hook Notice::policy(n: Notice::Info)
 	{
 	if ( n$note == SSH::Password_Guessing )
 		add n$actions[Notice::ACTION_DROP];
 	}
--- a/doc/frameworks/netcontrol-4-drop.bro
+++ b/doc/frameworks/netcontrol-4-drop.bro
@ -0,0 +1,26 @@
 function our_drop_connection(c: conn_id, t: interval)
 	{
 	# As a first step, create the NetControl::Entity that we want to block
 	local e = NetControl::Entity($ty=NetControl::CONNECTION, $conn=c);
 	# Then, use the entity to create the rule to drop the entity in the forward path
 	local r = NetControl::Rule($ty=NetControl::DROP,
 		$target=NetControl::FORWARD, $entity=e, $expire=t);
 	# Add the rule
 	local id = NetControl::add_rule(r);
 	if ( id == "" )
 		print "Error while dropping";
 	}
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	our_drop_connection(c$id, 20 secs);
 	}
--- a/doc/frameworks/netcontrol-5-hook.bro
+++ b/doc/frameworks/netcontrol-5-hook.bro
@ -0,0 +1,22 @@
 hook NetControl::rule_policy(r: NetControl::Rule)
 	{
 	if ( r$ty == NetControl::DROP &&
 	     r$entity$ty == NetControl::CONNECTION &&
 			 r$entity$conn$orig_h in 192.168.0.0/16 )
 			 {
 			 print "Ignored connection from", r$entity$conn$orig_h;
 			 break;
 			 }
 	}
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	NetControl::drop_connection(c$id, 20 secs);
 	}
--- a/doc/frameworks/netcontrol-6-find.bro
+++ b/doc/frameworks/netcontrol-6-find.bro
@ -0,0 +1,17 @@
 event NetControl::init()
 	{
 	local netcontrol_debug = NetControl::create_debug(T);
 	NetControl::activate(netcontrol_debug, 0);
 	}
 event connection_established(c: connection)
 	{
 	if ( |NetControl::find_rules_addr(c$id$orig_h)| > 0 )
 		{
 		print "Rule already exists";
 		return;
 		}
 	NetControl::drop_connection(c$id, 20 secs);
 	print "Rule added";
 	}
--- a/doc/frameworks/netcontrol-7-catch-release.bro
+++ b/doc/frameworks/netcontrol-7-catch-release.bro
@ -0,0 +1,10 @@
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	NetControl::drop_address_catch_release(c$id$orig_h);
 	}
--- a/doc/frameworks/netcontrol-8-multiple.bro
+++ b/doc/frameworks/netcontrol-8-multiple.bro
@ -0,0 +1,29 @@
 function our_openflow_check(p: NetControl::PluginState, r: NetControl::Rule): bool
 	{
 	if ( r$ty == NetControl::DROP &&
 		r$entity$ty == NetControl::ADDRESS &&
 		subnet_width(r$entity$ip) == 32 &&
 		subnet_to_addr(r$entity$ip) in 192.168.17.0/24 )
 		return F;
 	return T;
 	}
 event NetControl::init()
 	{
 	# Add debug plugin with low priority
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	# Instantiate OpenFlow debug plugin with higher priority
 	local of_controller = OpenFlow::log_new(42);
 	local netcontrol_of = NetControl::create_openflow(of_controller, [$check_pred=our_openflow_check]);
 	NetControl::activate(netcontrol_of, 10);
 	}
 event NetControl::init_done()
 	{
 	NetControl::drop_address(10.0.0.1, 1min);
 	NetControl::drop_address(192.168.17.2, 1min);
 	NetControl::drop_address(192.168.18.2, 1min);
 	}
--- a/doc/frameworks/netcontrol-9-skeleton.bro
+++ b/doc/frameworks/netcontrol-9-skeleton.bro
@ -0,0 +1,39 @@
 module NetControl;
 export {
 	## Instantiates the plugin.
 	global create_skeleton: function(argument: string) : PluginState;
 }
 function skeleton_name(p: PluginState) : string
 	{
 	return "NetControl skeleton plugin";
 	}
 function skeleton_add_rule_fun(p: PluginState, r: Rule) : bool
 	{
 	print "add", r;
 	event NetControl::rule_added(r, p);
 	return T;
 	}
 	function skeleton_remove_rule_fun(p: PluginState, r: Rule) : bool
 	{
 	print "remove", r;
 	event NetControl::rule_removed(r, p);
 	return T;
 	}
 global skeleton_plugin = Plugin(
 	$name = skeleton_name,
 	$can_expire = F,
 	$add_rule = skeleton_add_rule_fun,
 	$remove_rule = skeleton_remove_rule_fun
 	);
 function create_skeleton(argument: string) : PluginState
 	{
 	local p = PluginState($plugin=skeleton_plugin);
 	return p;
 	}
--- a/doc/frameworks/netcontrol-architecture.png
+++ b/doc/frameworks/netcontrol-architecture.png
--- a/doc/frameworks/netcontrol-openflow.png
+++ b/doc/frameworks/netcontrol-openflow.png
--- a/doc/frameworks/netcontrol-rules.png
+++ b/doc/frameworks/netcontrol-rules.png
--- a/doc/frameworks/netcontrol.rst
+++ b/doc/frameworks/netcontrol.rst
@ -0,0 +1,633 @@
 .. _framework-netcontrol:
 ====================
 NetControl Framework
 ====================
 .. rst-class:: opening
  Bro can connect with network devices like, for example, switches
  or soft- and hardware firewalls using the NetControl framework. The
  NetControl framework provides a flexible, unified interface for active
  response and hides the complexity of heterogeneous network equipment
  behind a simple task-oriented API, which is easily usable via Bro
  scripts. This document gives an overview of how to use the NetControl
  framework in different scenarios; to get a better understanding of how
  it can be used in practice, it might be worthwhile to take a look at
  the unit tests.
 .. contents::
 NetControl Architecture
 =======================
 .. figure:: netcontrol-architecture.png
    :width: 600
    :align: center
    :alt: NetControl framework architecture
    :target: ../_images/netcontrol-architecture.png
    NetControl architecture (click to enlarge).
 The basic architecture of the NetControl framework is shown in the figure above.
 Conceptually, the NetControl framework sits inbetween the user provided scripts
 (which use the Bro event engine) and the network device (which can either be a
 hardware or software device), that is used to implement the commands.
 The NetControl framework supports a number of high-level calls, like the
 :bro:see:`NetControl::drop_address` function, or lower a lower level rule
 syntax. After a rule has been added to the NetControl framework, NetControl
 sends the rule to one or several of its *backends*. Each backend is responsible
 to communicate with a single hard- or software device. The NetControl framework
 tracks rules throughout their entire lifecycle and reports the status (like
 success, failure and timeouts) back to the user scripts.
 The backends are implemented as Bro scripts using a plugin based API; an example
 for this is :doc:`/scripts/base/frameworks/netcontrol/plugins/broker.bro`. This
 document will show how to write plugins in
 :ref:`framework-netcontrol-plugins`.
 NetControl API
 ==============
 High-level NetControl API
 -------------------------
 In this section, we will introduce the high level NetControl API. As mentioned
 above, NetControl uses *backends* to communicate with the external devices that
 will implement the rules. You will need at least one active backend before you
 can use NetControl. For our examples, we will just use the debug plugin to
 create a backend. This plugin outputs all actions that are taken to the standard
 output.
 Backends should be initialized in the :bro:see:`NetControl::init` event, calling
 the :bro:see:`NetControl::activate` function after the plugin instance has been
 initialized. The debug plugin can be initialized as follows:
 .. code:: bro
  event NetControl::init()
    {
    local debug_plugin = NetControl::create_debug(T);
    NetControl::activate(debug_plugin, 0);
    }
 After at least one backend has been added to the NetControl framework, the
 framework can be used and will send added rules to the added backend.
 The NetControl framework contains several high level functions that allow users
 to drop connections of certain addresses and networks, shunt network traffic,
 etc. The following table shows and describes all of the currently available
 high-level functions.
 .. list-table::
    :widths: 32 40
    :header-rows: 1
    * - Function
      - Description
    * - :bro:see:`NetControl::drop_address`
      - Calling this function causes NetControl to block all packets involving
        an IP address from being forwarded
    * - :bro:see:`NetControl::drop_connection`
      - Calling this function stops all packets of a specific connection
        (identified by its 5-tuple) from being forwarded.
    * - :bro:see:`NetControl::drop_address`
      - Calling this function causes NetControl to block all packets involving
        an IP address from being forwarded
    * - :bro:see:`NetControl::drop_address_catch_release`
      - Calling this function causes all packets of a specific source IP to be
        blocked. This function uses catch-and-release functionality and the IP
        address is only dropped for a short amount of time to conserve rule
        space in the network hardware. It is immediately re-dropped when it is
        seen again in traffic. See :ref:`framework-netcontrol-catchrelease` for
        more information.
    * - :bro:see:`NetControl::shunt_flow`
      - Calling this function causes NetControl to stop forwarding a
        uni-directional flow of packets to Bro. This allows Bro to conserve
        resources by shunting flows that have been identified as being benign.
    * - :bro:see:`NetControl::redirect_flow`
      - Calling this function causes NetControl to redirect an uni-directional
        flow to another port of the networking hardware.
    * - :bro:see:`NetControl::quarantine_host`
      - Calling this function allows Bro to quarantine a host by sending DNS
        traffic to a host with a special DNS server, which resolves all queries
        as pointing to itself. The quarantined host is only allowed between the
        special server, which will serve a warning message detailing the next
        steps for the user
    * - :bro:see:`NetControl::whitelist_address`
      - Calling this function causes NetControl to push a whitelist entry for an
        IP address to the networking hardware.
    * - :bro:see:`NetControl::whitelist_subnet`
      - Calling this function causes NetControl to push a whitelist entry for a
        subnet to the networking hardware.
 After adding a backend, all of these functions can immediately be used and will
 start sending the rules to the added backend(s). To give a very simple example,
 the following script will simply block the traffic of all connections that it
 sees being established:
 .. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-1-drop-with-debug.bro
 Running this script on a file containing one connection will cause the debug
 plugin to print one line to the standard output, which contains information
 about the rule that was added. It will also cause creation of `netcontrol.log`,
 which contains information about all actions that are taken by NetControl:
 .. btest:: netcontrol-1-drop-with-debug.bro
    @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-1-drop-with-debug.bro
    @TEST-EXEC: btest-rst-cmd cat netcontrol.log
 In our case, `netcontrol.log` contains several :bro:see:`NetControl::MESSAGE`
 entries, which show that the debug plugin has been initialized and added.
 Afterwards, there are two :bro:see:`NetControl::RULE` entries; the first shows
 that the addition of a rule has been requested (state is
 :bro:see:`NetControl::REQUESTED`). The following line shows that the rule was
 successfully added (the state is  :bro:see:`NetControl::SUCCEEDED`). The
 remainder of the log line gives more information about the added rule, which in
 our case applies to a specific 5-tuple.
 In addition to the netcontrol.log, the drop commands also create a second,
 additional log called `netcontrol_drop.log`. This log file is much more succinct and
 only contains information that is specific to drops that are enacted by
 NetControl:
 .. btest:: netcontrol-1-drop-with-debug.bro
    @TEST-EXEC: btest-rst-cmd cat netcontrol_drop.log
 While this example of blocking all connections is usually not very useful, the
 high-level API gives an easy way to take action, for example when a host is
 identified doing some harmful activity. To give a more realistic example, the
 following code automatically blocks a recognized SSH guesser:
 .. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-2-ssh-guesser.bro
 .. btest:: netcontrol-2-ssh-guesser.bro
    @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-2-ssh-guesser.bro
    @TEST-EXEC: btest-rst-cmd cat netcontrol.log
 Note that in this case, instead of calling NetControl directly, we also can use
 the :bro:see:`Notice::ACTION_DROP` action of the notice framework:
 .. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-3-ssh-guesser.bro
 .. btest:: netcontrol-3-ssh-guesser.bro
    @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-3-ssh-guesser.bro
    @TEST-EXEC: btest-rst-cmd cat netcontrol.log
 Using the :bro:see:`Notice::ACTION_DROP` action of the notice framework also
 will cause the `dropped` column in `notice.log` to be set to true each time that
 the NetControl framework enacts a block:
 .. btest:: netcontrol-3-ssh-guesser.bro
    @TEST-EXEC: btest-rst-cmd cat notice.log
 Rule API
 --------
 As already mentioned in the last section, in addition to the high-level API, the
 NetControl framework also supports a Rule based API which allows greater
 flexibility while adding rules. Actually, all the high-level functions are
 implemented using this lower-level rule API; the high-level functions simply
 convert their arguments into the lower-level rules and then add the rules
 directly to the NetControl framework (by calling :bro:see:`NetControl::add_rule`).
 The following figure shows the main components of NetControl rules:
 .. figure:: netcontrol-rules.png
    :width: 600
    :align: center
    :alt: NetControl rule overview
    :target: ../_images/netcontrol-rules.png
    NetControl Rule overview (click to enlarge).
 The types that are used to make up a rule are defined in
 :doc:`/scripts/base/frameworks/netcontrol/types.bro`.
 Rules are defined as a :bro:see:`NetControl::Rule` record. Rules have a *type*,
 which specifies what kind of action is taken. The possible actions are to
 **drop** packets, to **modify** them, to **redirect** or to **whitelist** them.
 The *target* of a rule specifies if the rule is applied in the *forward path*,
 and affects packets as they are forwarded through the network, or if it affects
 the *monitor path* and only affects the packets that are sent to Bro, but not
 the packets that traverse the network. The *entity* specifies the address,
 connection, etc. that the rule applies to. In addition, each notice has a
 *timeout* (which can be left empty), a *priority* (with higher priority rules
 overriding lower priority rules). Furthermore, a *location* string with more
 text information about each rule can be provided.
 There are a couple more fields that only needed for some rule types. For
 example, when you insert a redirect rule, you have to specify the port that
 packets should be redirected too. All these fields are shown in the
 :bro:see:`NetControl::Rule` documentation.
 To give an example on how to construct your own rule, we are going to write
 our own version of the :bro:see:`NetControl::drop_connection` function. The only
 difference between our function and the one provided by NetControl is the fact
 that the NetControl function has additional functionality, e.g. for logging.
 Once again, we are going to test our function with a simple example that simply
 drops all connections on the Network:
 .. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-4-drop.bro
 .. btest:: netcontrol-4-drop.bro
    @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-4-drop.bro
    @TEST-EXEC: btest-rst-cmd cat netcontrol.log
 The last example shows that :bro:see:`NetControl::add_rule` returns a string
 identifier that is unique for each rule (uniqueness is not preserved across
 restarts or Bro). This rule id can be used to later remove rules manually using
 :bro:see:`NetControl::remove_rule`.
 Similar to :bro:see:`NetControl::add_rule`, all the high-level functions also
 return their rule IDs, which can be removed in the same way.
 Interacting with Rules
 ----------------------
 The NetControl framework offers a number of different ways to interact with
 Rules. Before a rule is applied by the framework, a number of different hooks
 allow you to either modify or discard rules before they are added. Furthermore,
 a number of events can be used to track the lifecycle of a rule while it is
 being managed by the NetControl framework. It is also possible to query and
 access the current set of active rules.
 Rule Policy
 ***********
 The hook :bro:see:`NetControl::rule_policy` provides the mechanism for modifying
 or discarding a rule before it is sent onwards to the backends. Hooks can be
 thought of as multi-bodied functions and using them looks very similar to
 handling events. In difference to events, they are processed immediately. Like
 events, hooks can have priorities to sort the order in which they are applied.
 Hooks can use the ``break`` keyword to show that processing should be aborted;
 if any :bro:see:`NetControl::rule_policy` hook uses ``break``, the rule will be
 discarded before further processing.
 Here is a simple example which tells Bro to discard all rules for connections
 originating from the 192.168.* network:
 .. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-5-hook.bro
 .. btest:: netcontrol-5-hook.bro
    @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-5-hook.bro
 NetControl Events
 *****************
 In addition to the hooks, the NetControl framework offers a variety of events
 that are raised by the framework to allow users to track rules, as well as the
 state of the framework.
 We already encountered and used one event of the NetControl framework,
 :bro:see:`NetControl::init`, which is used to initialize the framework. After
 the framework has finished initialization and will start accepting rules, the
 :bro:see:`NetControl::init_done` event will be raised.
 When rules are added to the framework, the following events will be called in
 this order:
 .. list-table::
    :widths: 20 80
    :header-rows: 1
    * - Event
      - Description
    * - :bro:see:`NetControl::rule_new`
      - Signals that a new rule is created by the NetControl framework due to
        :bro:see:`NetControl::add_rule`. At this point of time, the rule has not
        yet been added to any backend.
    * - :bro:see:`NetControl::rule_added`
      - Signals that a new rule has successfully been added by a backend.
    * - :bro:see:`NetControl::rule_exists`
      - This event is raised instead of :bro:see:`NetControl::rule_added` when a
        backend reports that a rule was already existing.
    * - :bro:see:`NetControl::rule_timeout`
      - Signals that a rule timeout was reached. If the hardware does not support
        automatic timeouts, the NetControl framework will automatically call
        bro:see:`NetControl::remove_rule`.
    * - :bro:see:`NetControl::rule_removed`
      - Signals that a new rule has successfully been removed a backend.
    * - :bro:see:`NetControl::rule_destroyed`
      - This event is the pendant to :bro:see:`NetControl::rule_added`, and
        reports that a rule is no longer be tracked by the NetControl framework.
        This happens, for example, when a rule was removed from all backend.
    * - :bro:see:`NetControl::rule_error`
      - This event is raised whenever an error occurs during any rule operation.
 Finding active rules
 ********************
 The NetControl framework provides two functions for finding currently active
 rules: :bro:see:`NetControl::find_rules_addr` finds all rules that affect a
 certain IP address and :bro:see:`NetControl::find_rules_subnet` finds all rules
 that affect a specified subnet.
 Consider, for example, the case where a Bro instance monitors the traffic at the
 border, before any firewall or switch rules were applied. In this case, Bro will
 still be able to see connection attempts of already blocked IP addresses. In this
 case, :bro:see:`NetControl::find_rules_addr` could be used to check if an
 address already was blocked in the past.
 Here is a simple example, which uses a trace that contains two connections from
 the same IP address. After the first connection, the script recognizes that the
 address is already blocked in the second connection.
 .. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-6-find.bro
 .. btest:: netcontrol-6-find.bro
    @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/google-duplicate.trace ${DOC_ROOT}/frameworks/netcontrol-6-find.bro
 Notice that the functions return vectors because it is possible that several
 rules exist simultaneously that affect one IP; either there could be
 rules with different priorities, or rules for the subnet that an IP address is
 part of.
 .. _framework-netcontrol-catchrelease:
 Catch and Release
 -----------------
 We already mentioned earlier that in addition to the
 :bro:see:`NetControl::drop_connection` and :bro:see:`NetControl::drop_address`
 functions, which drop a connection or address for a specified amount of time,
 NetControl also comes with a blocking function that uses an approach called
 *catch and release*.
 Catch and release is a blocking scheme that conserves valuable rule space in
 your hardware. Instead of using long-lasting blocks, catch and release first
 only installs blocks for short amount of times (typically a few minutes). After
 these minutes pass, the block is lifted, but the IP address is added to a
 watchlist and the IP address will immediately be re-blocked again (for a longer
 amount of time), if it is seen reappearing in any traffic, no matter if the new
 traffic triggers any alert or not.
 This makes catch and release blocks similar to normal, longer duration blocks,
 while only requiring a small amount of space for the currently active rules. IP
 addresses that only are seen once for a short time are only blocked for a few
 minutes, monitored for a while and then forgotten. IP addresses that keep
 appearing will get re-blocked for longer amounts of time.
 In difference to the other high-level functions that we documented so far, the
 catch and release functionality is much more complex and adds a number of
 different specialized functions to NetControl. The documentation for catch and
 release is contained in the file
 :doc:`/scripts/base/frameworks/netcontrol/catch-and-release.bro`.
 Using catch and release in your scripts is easy; just use
 :bro:see:`NetControl::drop_address_catch_release` like in this example:
 .. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-7-catch-release.bro
 .. btest:: netcontrol-7-catch-release.bro
    @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-7-catch-release.bro
 Note that you do not have to provide the block time for catch and release;
 instead, catch and release uses the time intervals specified in
 :bro:see:`NetControl::catch_release_intervals` (by default 10 minutes, 1 hour,
 24 hours, 7 days). That means when an address is first blocked, it is blocked
 for 10 minutes and monitored for 1 hour. If the address reappears after the
 first 10 minutes, it is blocked for 1 hour and then monitored for 24 hours, etc.
 Catch and release adds its own new logfile in addition to the already existing
 ones (netcontrol_catch_release.log):
 .. btest:: netcontrol-7-catch-release.bro
    @TEST-EXEC: btest-rst-cmd cat netcontrol_catch_release.log
 In addition to the blocking function, catch and release comes with the
 :bro:see:`NetControl::get_catch_release_info` function to
 check if an address is already blocked by catch and release (and get information
 about the block). The :bro:see:`NetControl::unblock_address_catch_release`
 function can be used to unblock addresses from catch and release.
 .. note::
    Since catch and release does its own connection tracking in addition to the
    tracking used by the NetControl framework, it is not sufficient to remove
    rules that were added by catch and release using :bro:see:`NetControl::remove_rule`.
    You have to use :bro:see:`NetControl::unblock_address_catch_release` in this
    case.
 .. _framework-netcontrol-plugins:
 NetControl Plugins
 ==================
 Using the existing plugins
 --------------------------
 In the API part of the documentation, we exclusively used the debug plugin,
 which simply outputs its actions to the screen. In addition to this debugging
 plugin, Bro ships with a small number of plugins that can be used to interface
 the NetControl framework with your networking hard- and software.
 The plugins that currently ship with NetControl are:
 .. list-table::
    :widths: 15 55
    :header-rows: 1
    * - Plugin name
      - Description
    * - OpenFlow plugin
      - This is the most fully featured plugin which allows the NetControl
        framework to be interfaced with OpenFlow switches. The source of this
        plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.bro`.
    * - Broker plugin
      - This plugin provides a generic way to send NetControl commands using the
        new Bro communication library (Broker). External programs can receive
        the rules and take action; we provide an example script that calls
        command-line programs triggered by NetControl. The source of this
        plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/broker.bro`.
    * - acld plugin
      - This plugin adds support for the acld daemon, which can interface with
        several switches and routers. The current version of acld is available
        from the `LBL ftp server <ftp://ftp.ee.lbl.gov/acld.tar.gz>`_. The source of this
        plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/acld.bro`.
    * - PacketFilter plugin
      - This plugin adds uses the Bro process-level packet filter (see
        :bro:see:`install_src_net_filter` and
        :bro:see:`install_dst_net_filter`). Since the functionality of the
        PacketFilter is limited, this plugin is mostly for demonstration purposes. The source of this
        plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/packetfilter.bro`.
    * - Debug plugin
      - The debug plugin simply outputs its action to the standard output. The source of this
        plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/debug.bro`.
 Activating plugins
 ******************
 In the API reference part of this document, we already used the debug plugin. To
 use the plugin, we first had to instantiate it by calling
 :bro:see:`NetControl::NetControl::create_debug` and then add it to NetControl by
 calling :bro:see:`NetControl::activate`.
 As we already hinted before, NetControl supports having several plugins that are
 active at the same time. The second argument to the `NetControl::activate`
 function is the priority of the backend that was just added. Each rule is sent
 to all plugins in order, from highest priority to lowest priority. The backend
 can then choose if it accepts the rule and pushes it out to the hardware that it
 manages. Or, it can opt to reject the rule. In this case, the NetControl
 framework will try to apply the rule to the backend with the next lower
 priority. If no backend accepts a rule, the rule insertion is marked as failed.
 The choice if a rule is accepted or rejected stays completely with each plugin.
 The debug plugin we used so far just accepts all rules. However, for other
 plugins you can specify what rules they will accept. Consider, for example, a
 network with two OpenFlow switches. The first switch forwards packets from the
 network to the external world, the second switch sits in front of your Bro
 cluster to provide packet shunting. In this case, you can add two OpenFlow
 backends to NetControl. When you create the instances using
 :bro:see:`NetControl::create_openflow`, you set the `monitor` and `forward`
 attributes of the configuration in :bro:see:`NetControl::OfConfig`
 appropriately. Afterwards, one of the backends will only accept rules for the
 monitor path; the other backend will only accept rules for the forward path.
 Commonly, plugins also support predicate functions, that allow the user to
 specify restrictions on the rules that they will accept. This can for example be
 used if you have a network where certain switches are responsible for specified
 subnets. The predicate can examine the subnet of the rule and only accept the
 rule if the rule matches the subnet that the specific switch is responsible for.
 To give an example, the following script adds two backends to NetControl. One
 backend is the NetControl debug backend, which just outputs the rules to the
 console. The second backend is an OpenFlow backend, which uses the OpenFlow
 debug mode that outputs the openflow rules to openflow.log. The OpenFlow
 backend uses a predicate function to only accept rules with a source address in
 the 192.168.17.0/24 network; all other rules will be passed on to the debug
 plugin. We manually block a few addresses in the
 :bro:see:`NetControl::init_done` event to verify the correct functionality.
 .. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-8-multiple.bro
 .. btest:: netcontrol-8-multiple.bro
    @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/frameworks/netcontrol-8-multiple.bro
 As you can see, only the single block affecting the 192.168.17.0/24 network is
 output to the command line. The other two lines are handled by the OpenFlow
 plugin. We can verify this by looking at netcontrol.log. The plugin column shows
 which plugin handled a rule and reveals that two rules were handled by OpenFlow:
 .. btest:: netcontrol-8-multiple.bro
    @TEST-EXEC: btest-rst-cmd cat netcontrol.log
 Furthermore, openflow.log also shows the two added rules, converted to OpenFlow
 flow mods:
 .. btest:: netcontrol-8-multiple.bro
    @TEST-EXEC: btest-rst-cmd cat openflow.log
 .. note::
    You might have asked yourself what happens when you add two or more with the
    same priority. In this case, the rule is sent to all the backends
    simultaneously. This can be useful, for example when you have redundant
    switches that should keep the same rule state.
 Interfacing with external hardware
 **********************************
 Now that we know which plugins exist, and how they can be added to NetControl,
 it is time to discuss how we can interface Bro with actual hardware. The typical
 way to accomplish this is to use the Bro communication library (Broker), which
 can be used to exchange Bro events with external programs and scripts. The
 NetControl plugins can use Broker to send events to external programs, which can
 then take action depending on these events.
 The following figure shows this architecture with the example of the OpenFlow
 plugin. The OpenFlow plugin uses Broker to send events to an external Python
 script, which uses the `Ryu SDN controller <https://osrg.github.io/ryu/>`_ to
 communicate with the Switch.
 .. figure:: netcontrol-openflow.png
    :width: 600
    :align: center
    :alt: NetControl and OpenFlow architecture.
    :target: ../_images/netcontrol-openflow.png
    NetControl and OpenFlow architecture (click to enlarge).
 The Python scripts that are used to interface with the available NetControl
 plugins are contained in the `bro-netcontrol` repository (`github link <https://github.com/bro/bro-netcontrol>`_).
 The repository contains scripts for the OpenFlow as well as the acld plugin.
 Furthermore, it contains a script for the broker plugin which can be used to
 call configureable command-line programs when used with the broker plugin.
 The repository also contains documentation on how to install these connectors.
 The `netcontrol` directory contains an API that allows you to write your own
 connectors to the broker plugin.
 .. note::
    Note that the API of the Broker communication library is not finalized yet.
    You might have to rewrite any scripts for use in future Bro versions.
 Writing plugins
 ---------------
 In addition to using the plugins that are part of NetControl, you can write your
 own plugins to interface with hard- or software that we currently do not support
 out of the Box.
 Creating your own plugin is easy; besides a bit of boilerplate, you only need to
 create two functions: one that is called when a rule is added, and one that is
 called when a rule is removed. The following script creates a minimal plugin
 that just outputs a rule when it is added or removed. Note that you have to
 raise the :bro:see:`NetControl::rule_added` and
 :bro:see:`NetControl::rule_removed` events in your plugin to let NetControl know
 when a rule was added and removed successfully.
 .. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-9-skeleton.bro
 This example is already fully functional and we can use it with a script similar
 to our very first example:
 .. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-10-use-skeleton.bro
 .. btest:: netcontrol-9-skeleton.bro
    @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-9-skeleton.bro ${DOC_ROOT}/frameworks/netcontrol-10-use-skeleton.bro
 If you want to write your own plugins, it will be worthwhile to look at the
 plugins that ship with the NetControl framework to see how they define the
 predicates and interact with Broker.
--- a/doc/script-reference/log-files.rst
+++ b/doc/script-reference/log-files.rst
@ -71,6 +71,23 @@ Files
 | x509.log                   | X.509 certificate info                | :bro:type:`X509::Info`          |
 +----------------------------+---------------------------------------+---------------------------------+
 NetControl
 ----------
 +------------------------------+---------------------------------------+------------------------------------------+
 | Log File                     | Description                           | Field Descriptions                       |
 +==============================+=======================================+==========================================+
 | netcontrol.log               | NetControl actions                    | :bro:type:`NetControl::Info`             |
 +------------------------------+---------------------------------------+------------------------------------------+
 | netcontrol_drop.log          | NetControl actions                    | :bro:type:`NetControl::DropInfo`         |
 +------------------------------+---------------------------------------+------------------------------------------+
 | netcontrol_shunt.log         | NetControl shunt actions              | :bro:type:`NetControl::ShuntInfo`        |
 +------------------------------+---------------------------------------+------------------------------------------+
 | netcontrol_catch_release.log | NetControl catch and release actions  | :bro:type:`NetControl::CatchReleaseInfo` |
 +------------------------------+---------------------------------------+------------------------------------------+
 | openflow.log                 | OpenFlow debug log                    | :bro:type:`OpenFlow::Info`               |
 +------------------------------+---------------------------------------+------------------------------------------+
 Detection
 ---------
--- a/scripts/base/frameworks/netcontrol/README
+++ b/scripts/base/frameworks/netcontrol/README
@ -0,0 +1,3 @@
 The NetControl framework provides a way for Bro to interact with networking
 hard- and software, e.g. for dropping and shunting IP addresses/connections,
 etc.
--- a/scripts/base/frameworks/netcontrol/catch-and-release.bro
+++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro
@ -2,103 +2,508 @@
 module NetControl;
@load base/frameworks/cluster
@load ./main
@load ./drop
 export {
 	redef enum Log::ID += { CATCH_RELEASE };
 	## Thhis record is used is used for storing information about current blocks that are
 	## part of catch and release.
 	type BlockInfo: record {
 		## Absolute time indicating until when a block is inserted using NetControl
 		block_until: time &optional;
 		## Absolute time indicating until when an IP address is watched to reblock it
 		watch_until: time;
 		## Number of times an IP address was reblocked
 		num_reblocked: count &default=0;
 		## Number indicating at which catch and release interval we currently are
 		current_interval: count;
 		## ID of the inserted block, if any.
 		current_block_id: string;
 		## User specified string
 		location: string &optional;
 	};
 	## The enum that contains the different kinds of messages that are logged by
 	## catch and release
 	type CatchReleaseActions: enum {
 		## Log lines marked with info are purely informational; no action was taken
 		INFO,
 		## A rule for the specified IP address already existed in NetControl (outside
 		## of catch-and-release). Catch and release did not add a new rule, but is now
 		## watching the IP address and will add a new rule after the current rule expired.
 		ADDED,
 		## A drop was requested by catch and release
 		DROP,
 		## A address was succesfully blocked by catch and release
 		DROPPED,
 		## An address was unblocked after the timeout expired
 		UNBLOCK,
 		## An address was forgotten because it did not reappear within the `watch_until` interval
 		FORGOTTEN,
 		## A watched IP address was seen again; catch and release will re-block it.
 		SEEN_AGAIN
 	};
 	## The record type that is used for representing and logging
 	type CatchReleaseInfo: record {
 		## The absolute time indicating when the action for this log-line occured.
 		ts: time &log;
 		## The rule id that this log lone refers to.
 		rule_id: string &log &optional;
 		## The IP address that this line refers to.
 		ip: addr &log;
 		## The action that was taken in this log-line.
 		action: CatchReleaseActions &log;
 		## The current block_interaval (for how long the address is blocked).
 		block_interval: interval &log &optional;
 		## The current watch_interval (for how long the address will be watched and re-block if it reappears).
 		watch_interval: interval &log &optional;
 		## The absolute time until which the address is blocked.
 		blocked_until: time &log &optional;
 		## The absolute time until which the address will be monitored.
 		watched_until: time &log &optional;
 		## Number of times that this address was blocked in the current cycle.
 		num_blocked: count &log &optional;
 		## The user specified location string.
 		location: string &log &optional;
 		## Additional informational string by the catch and release framework about this log-line.
 		message: string &log &optional;
 	};
 	## Stops all packets involving an IP address from being forwarded. This function
 	## uses catch-and-release functionality, where the IP address is only dropped for
 	## a short amount of time that is incremented steadily when the IP is encountered
 	## again.
 	##
 	## In cluster mode, this function works on workers as well as the manager. On managers,
 	## the returned :bro:see:`NetControl::BlockInfo` record will not contain the block ID,
 	## which will be assigned on the manager.
 	##
 	## a: The address to be dropped.
 	##
 	## t: How long to drop it, with 0 being indefinitly.
 	##
 	## location: An optional string describing where the drop was triggered.
 	##
-	## Returns: The id of the inserted rule on succes and zero on failure.
+	## Returns: The :bro:see:`NetControl::BlockInfo` record containing information about
-	global drop_address_catch_release: function(a: addr, location: string &default="") : string;
+	##          the inserted block.
 	global drop_address_catch_release: function(a: addr, location: string &default="") : BlockInfo;
 	## Removes an address from being watched with catch and release. Returns true if the
 	## address was found and removed; returns false if it was unknown to catch and release.
 	##
 	## If the address is currently blocked, and the block was inserted by catch and release,
 	## the block is removed.
 	##
 	## a: The address to be unblocked.
 	##
 	## Returns: True if the address was unblocked.
 	global unblock_address_catch_release: function(a: addr) : bool;
 	## This function can be called to notify the cach and release script that activity by
 	## an IP address was seen. If the respective IP address is currently monitored by catch and
 	## release and not blocked, the block will be re-instated. See the documentation of watch_new_connection
 	## which events the catch and release functionality usually monitors for activity.
 	##
 	## a: The address that was seen and should be re-dropped if it is being watched
 	global catch_release_seen: function(a: addr);
 	## Get the :bro:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release.
 	## If the address is unknown to catch and release, the watch_until time will be set to 0.
 	##
 	## In cluster mode, this function works on the manager and workers. On workers, the data will
 	## lag slightly behind the manager; if you add a block, it will not be instantly available via
 	## this function.
 	##
 	## a: The address to get information about.
 	##
 	## Returns: The :bro:see:`NetControl::BlockInfo` record containing information about
 	##          the inserted block.
 	global get_catch_release_info: function(a: addr) : BlockInfo;
 	## If true, catch_release_seen is called on the connection originator in new_connection,
 	## connection_established, partial_connection, connection_attempt, connection_rejected,
 	## connection_reset and connection_pending
 	const watch_connections = T &redef;
 	## If true, catch and release warns if packets of an IP address are still seen after it
 	## should have been blocked.
 	const catch_release_warn_blocked_ip_encountered = F &redef;
 	## Time intervals for which a subsequent drops of the same IP take
 	## effect.
 	const catch_release_intervals: vector of interval = vector(10min, 1hr, 24hrs, 7days) &redef;
 	## Event that can be handled to access the :bro:type:`NetControl::CatchReleaseInfo`
 	## record as it is sent on to the logging framework.
 	global log_netcontrol_catch_release: event(rec: CatchReleaseInfo);
 	# Cluster events for catch and release
 	global catch_release_block_new: event(a: addr, b: BlockInfo);
 	global catch_release_block_delete: event(a: addr);
 	global catch_release_add: event(a: addr, location: string);
 	global catch_release_delete: event(a: addr);
 	global catch_release_encountered: event(a: addr);
 }
-function per_block_interval(t: table[addr] of count, idx: addr): interval
+# set that is used to only send seen notifications to the master every ~30 seconds.
 global catch_release_recently_notified: set[addr] &create_expire=30secs;
 event bro_init() &priority=5
 	{
-	local ct = t[idx];
+	Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release"]);
 	# watch for the time of the next block...
 	local blocktime = catch_release_intervals[ct];
 	if ( (ct+1) in catch_release_intervals )
 		blocktime = catch_release_intervals[ct+1];
 	return blocktime;
 	}
-# This is the internally maintained table containing all the currently going on catch-and-release
+function get_watch_interval(current_interval: count): interval
-# blocks.
+	{
-global blocks: table[addr] of count = {}
+	if ( (current_interval + 1) in catch_release_intervals )
 		return catch_release_intervals[current_interval+1];
 	else
 		return catch_release_intervals[current_interval];
 	}
 function populate_log_record(ip: addr, bi: BlockInfo, action: CatchReleaseActions): CatchReleaseInfo
 	{
 	local log = CatchReleaseInfo($ts=network_time(), $ip=ip, $action=action,
 	        $block_interval=catch_release_intervals[bi$current_interval],
 	        $watch_interval=get_watch_interval(bi$current_interval),
 	        $watched_until=bi$watch_until,
 	        $num_blocked=bi$num_reblocked+1
 	        );
 	if ( bi?$block_until )
 		log$blocked_until = bi$block_until;
 	if ( bi?$current_block_id && bi$current_block_id != "" )
 		log$rule_id = bi$current_block_id;
 	if ( bi?$location )
 		log$location = bi$location;
 	return log;
 	}
 function per_block_interval(t: table[addr] of BlockInfo, idx: addr): interval
 	{
 	local remaining_time = t[idx]$watch_until - network_time();
 	if ( remaining_time < 0secs )
 		remaining_time = 0secs;
@if ( ! Cluster::is_enabled() || ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) )
 	if ( remaining_time == 0secs )
 		{
 		local log = populate_log_record(idx, t[idx], FORGOTTEN);
 		Log::write(CATCH_RELEASE, log);
 		}
@endif
 	return remaining_time;
 	}
 # This is the internally maintained table containing all the addresses that are currently being
 # watched to see if they will re-surface. After the time is reached, monitoring of that specific
 # IP will stop.
 global blocks: table[addr] of BlockInfo = {}
 	&create_expire=0secs
 	&expire_func=per_block_interval;
-function current_block_interval(s: set[addr], idx: addr): interval
+
@if ( Cluster::is_enabled() )
@load base/frameworks/cluster
 redef Cluster::manager2worker_events += /NetControl::catch_release_block_(new|delete)/;
 redef Cluster::worker2manager_events += /NetControl::catch_release_(add|delete|encountered)/;
@endif
 function cr_check_rule(r: Rule): bool
 	{
-	if ( idx !in blocks )
+	if ( r$ty == DROP && r$entity$ty == ADDRESS )
 		{
-		Reporter::error(fmt("Address %s not in blocks while inserting into current_blocks!", idx));
+		local ip = r$entity$ip;
-		return 0sec;
+		if ( ( is_v4_subnet(ip) && subnet_width(ip) == 32 ) || ( is_v6_subnet(ip) && subnet_width(ip) == 128 ) )
 			{
 			if ( subnet_to_addr(ip) in blocks )
 				return T;
 			}
 		}
-	return catch_release_intervals[blocks[idx]];
+		return F;
 	}
-global current_blocks: set[addr] = set()
+@if ( ! Cluster::is_enabled() || ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) )
 	&create_expire=0secs
 	&expire_func=current_block_interval;
-function drop_address_catch_release(a: addr, location: string &default=""): string
+event rule_added(r: Rule, p: PluginState, msg: string &default="")
 	{
 	if ( !cr_check_rule(r) )
 		return;
 	local ip = subnet_to_addr(r$entity$ip);
 	local bi = blocks[ip];
 	local log = populate_log_record(ip, bi, DROPPED);
 	if ( msg != "" )
 		log$message = msg;
 	Log::write(CATCH_RELEASE, log);
 	}
 event rule_timeout(r: Rule, i: FlowInfo, p: PluginState)
 	{
 	if ( !cr_check_rule(r) )
 		return;
 	local ip = subnet_to_addr(r$entity$ip);
 	local bi = blocks[ip];
 	local log = populate_log_record(ip, bi, UNBLOCK);
 	if ( bi?$block_until )
 		{
 		local difference: interval = network_time() - bi$block_until;
 		if ( interval_to_double(difference) > 60 || interval_to_double(difference) < -60 )
 			log$message = fmt("Difference between network_time and block time excessive: %f", difference);
 		}
 	Log::write(CATCH_RELEASE, log);
 	}
@endif
@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
 event catch_release_add(a: addr, location: string)
 	{
 	drop_address_catch_release(a, location);
 	}
 event catch_release_delete(a: addr)
 	{
 	unblock_address_catch_release(a);
 	}
 event catch_release_encountered(a: addr)
 	{
 	catch_release_seen(a);
 	}
@endif
@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
 event catch_release_block_new(a: addr, b: BlockInfo)
 	{
 	blocks[a] = b;
 	}
 event catch_release_block_delete(a: addr)
 	{
 	if ( a in blocks )
 		delete blocks[a];
 	}
@endif
@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
@endif
 function get_catch_release_info(a: addr): BlockInfo
 	{
-		Reporter::warning(fmt("Address %s already blocked using catch-and-release - ignoring duplicate", a));
+	if ( a in blocks )
-		return "";
+		return blocks[a];
 	return BlockInfo($watch_until=double_to_time(0), $current_interval=0, $current_block_id="");
 	}
 function drop_address_catch_release(a: addr, location: string &default=""): BlockInfo
 	{
 	local bi: BlockInfo;
 	local log: CatchReleaseInfo;
 	if ( a in blocks )
 		{
 		log = populate_log_record(a, blocks[a], INFO);
 		log$message = "Already blocked using catch-and-release - ignoring duplicate";
 		Log::write(CATCH_RELEASE, log);
 		return blocks[a];
 		}
 	local e = Entity($ty=ADDRESS, $ip=addr_to_subnet(a));
 	if ( [e,DROP] in rule_entities )
 		{
 		local r = rule_entities[e,DROP];
 		bi = BlockInfo($watch_until=network_time()+catch_release_intervals[1], $current_interval=0, $current_block_id=r$id);
 		if ( location != "" )
 			bi$location = location;
@if ( ! Cluster::is_enabled() || ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) )
 		log = populate_log_record(a, bi, ADDED);
 		log$message = "Address already blocked outside of catch-and-release. Catch and release will monitor and only actively block if it appears in network traffic.";
 		Log::write(CATCH_RELEASE, log);
 		blocks[a] = bi;
 		event NetControl::catch_release_block_new(a, bi);
@endif
@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
 		event NetControl::catch_release_add(a, location);
@endif
 		return bi;
 		}
 	local block_interval = catch_release_intervals[0];
@if ( ! Cluster::is_enabled() || ( Cluster::is_enabled()  && Cluster::local_node_type() == Cluster::MANAGER ) )
 	local ret = drop_address(a, block_interval, location);
 	if ( ret != "" )
 		{
-		blocks[a] = 0;
+		bi = BlockInfo($watch_until=network_time()+catch_release_intervals[1], $block_until=network_time()+block_interval, $current_interval=0, $current_block_id=ret);
-		add current_blocks[a];
+		if ( location != "" )
 			bi$location = location;
 		blocks[a] = bi;
 		event NetControl::catch_release_block_new(a, bi);
 		blocks[a] = bi;
 		log = populate_log_record(a, bi, DROP);
 		Log::write(CATCH_RELEASE, log);
 		return bi;
 		}
 	Reporter::error(fmt("Catch and release could not add block for %s; failing.", a));
 	return BlockInfo($watch_until=double_to_time(0), $current_interval=0, $current_block_id="");
@endif
@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
 	bi = BlockInfo($watch_until=network_time()+catch_release_intervals[1], $block_until=network_time()+block_interval, $current_interval=0, $current_block_id="");
 	event NetControl::catch_release_add(a, location);
 	return bi;
@endif
 	}
-	return ret;
+function unblock_address_catch_release(a: addr): bool
 	}
 function check_conn(a: addr)
 	{
 	if ( a !in blocks )
 		return F;
@if ( ! Cluster::is_enabled() || ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) )
 	local bi = blocks[a];
 	local log = populate_log_record(a, bi, UNBLOCK);
 	Log::write(CATCH_RELEASE, log);
 	delete blocks[a];
 	if ( bi?$block_until && bi$block_until > network_time() && bi$current_block_id != "" )
 		remove_rule(bi$current_block_id);
@endif
@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
 	event NetControl::catch_release_block_delete(a);
@endif
@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
 	event NetControl::catch_release_delete(a);
@endif
 	return T;
 	}
 function catch_release_seen(a: addr)
 	{
 	local e = Entity($ty=ADDRESS, $ip=addr_to_subnet(a));
 	if ( a in blocks )
 		{
-		if ( a in current_blocks )
+@if ( ! Cluster::is_enabled() || ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) )
-			# block has not been applied yet?
+		local bi = blocks[a];
 		local log: CatchReleaseInfo;
 		if ( [e,DROP] in rule_entities )
 			{
 			if ( catch_release_warn_blocked_ip_encountered == F )
 				return;
 			# This should be blocked - block has not been applied yet by hardware? Ignore for the moment...
 			log = populate_log_record(a, bi, INFO);
 			log$action = INFO;
 			log$message = "Block seen while in rule_entities. No action taken.";
 			Log::write(CATCH_RELEASE, log);
 			return;
 			}
 		# ok, this one returned again while still in the backoff period.
-		local try = blocks[a];
+
 		local try = bi$current_interval;
 		if ( (try+1) in catch_release_intervals )
 			++try;
-		blocks[a] = try;
+		bi$current_interval = try;
-		add current_blocks[a];
+		if ( (try+1) in catch_release_intervals )
 			bi$watch_until = network_time() + catch_release_intervals[try+1];
 		else
 			bi$watch_until = network_time() + catch_release_intervals[try];
 		bi$block_until = network_time() + catch_release_intervals[try];
 		++bi$num_reblocked;
 		local block_interval = catch_release_intervals[try];
-		drop_address(a, block_interval, "Re-drop by catch-and-release");
+		local location = "";
 		if ( bi?$location )
 			location = bi$location;
 		local drop = drop_address(a, block_interval, fmt("Re-drop by catch-and-release: %s", location));
 		bi$current_block_id = drop;
 		blocks[a] = bi;
 		log = populate_log_record(a, bi, SEEN_AGAIN);
 		Log::write(CATCH_RELEASE, log);
@endif
@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
 	event NetControl::catch_release_block_new(a, bi);
@endif
@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
 	if ( a in catch_release_recently_notified )
 		return;
 	event NetControl::catch_release_encountered(a);
 	add catch_release_recently_notified[a];
@endif
 		return;
 		}
 	return;
 	}
 event new_connection(c: connection)
 	{
-	# let's only check originating connections...
+	if ( watch_connections )
-	check_conn(c$id$orig_h);
+		catch_release_seen(c$id$orig_h);
 	}
 event connection_established(c: connection)
 	{
 	if ( watch_connections )
 		catch_release_seen(c$id$orig_h);
 	}
 event partial_connection(c: connection)
 	{
 	if ( watch_connections )
 		catch_release_seen(c$id$orig_h);
 	}
 event connection_attempt(c: connection)
 	{
 	if ( watch_connections )
 		catch_release_seen(c$id$orig_h);
 	}
 event connection_rejected(c: connection)
 	{
 	if ( watch_connections )
 		catch_release_seen(c$id$orig_h);
 	}
 event connection_reset(c: connection)
 	{
 	if ( watch_connections )
 		catch_release_seen(c$id$orig_h);
 	}
 event connection_pending(c: connection)
 	{
 	if ( watch_connections )
 		catch_release_seen(c$id$orig_h);
 	}
--- a/scripts/base/frameworks/netcontrol/cluster.bro
+++ b/scripts/base/frameworks/netcontrol/cluster.bro
@ -11,13 +11,15 @@ export {
 	## This is the event used to transport remove_rule calls to the manager.
 	global cluster_netcontrol_remove_rule: event(id: string);
 	## This is the event used to transport delete_rule calls to the manager.
 	global cluster_netcontrol_delete_rule: event(id: string);
 }
 ## Workers need ability to forward commands to manager.
-redef Cluster::worker2manager_events += /NetControl::cluster_netcontrol_(add|remove)_rule/;
+redef Cluster::worker2manager_events += /NetControl::cluster_netcontrol_(add|remove|delete)_rule/;
 ## Workers need to see the result events from the manager.
-redef Cluster::manager2worker_events += /NetControl::rule_(added|removed|timeout|error)/;
+redef Cluster::manager2worker_events += /NetControl::rule_(added|removed|timeout|error|exists|new|destroyed)/;
 function activate(p: PluginState, priority: int)
 	{
@ -36,6 +38,16 @@ function add_rule(r: Rule) : string
 		return add_rule_impl(r);
 	else
 		{
 		# we sync rule entities accross the cluster, so we
 		# acually can test if the rule already exists. If yes,
 		# refuse insertion already at the node.
 		if ( [r$entity, r$ty] in rule_entities )
 			{
 			log_rule_no_plugin(r, FAILED, "discarded duplicate insertion");
 			return "";
 			}
 		if ( r$id == "" )
 			r$id = cat(Cluster::node, ":", ++local_rule_count);
@ -44,6 +56,17 @@ function add_rule(r: Rule) : string
 		}
 	}
 function delete_rule(id: string) : bool
 	{
 	if ( Cluster::local_node_type() == Cluster::MANAGER )
 		return delete_rule_impl(id);
 	else
 		{
 		event NetControl::cluster_netcontrol_delete_rule(id);
 		return T; # well, we can't know here. So - just hope...
 		}
 	}
 function remove_rule(id: string) : bool
 	{
 	if ( Cluster::local_node_type() == Cluster::MANAGER )
@ -56,6 +79,11 @@ function remove_rule(id: string) : bool
 	}
@if ( Cluster::local_node_type() == Cluster::MANAGER )
 event NetControl::cluster_netcontrol_delete_rule(id: string)
 	{
 	delete_rule_impl(id);
 	}
 event NetControl::cluster_netcontrol_add_rule(r: Rule)
 	{
 	add_rule_impl(r);
@ -65,17 +93,23 @@ event NetControl::cluster_netcontrol_remove_rule(id: string)
 	{
 	remove_rule_impl(id);
 	}
@endif
@if ( Cluster::local_node_type() == Cluster::MANAGER )
 event rule_expire(r: Rule, p: PluginState) &priority=-5
 	{
 	rule_expire_impl(r, p);
 	}
 event rule_exists(r: Rule, p: PluginState, msg: string &default="") &priority=5
 	{
 	rule_added_impl(r, p, T, msg);
 	if ( r?$expire && r$expire > 0secs && ! p$plugin$can_expire )
 		schedule r$expire { rule_expire(r, p) };
 	}
 event rule_added(r: Rule, p: PluginState, msg: string &default="") &priority=5
 	{
-	rule_added_impl(r, p, msg);
+	rule_added_impl(r, p, F, msg);
 	if ( r?$expire && r$expire > 0secs && ! p$plugin$can_expire )
 		schedule r$expire { rule_expire(r, p) };
@ -97,3 +131,30 @@ event rule_error(r: Rule, p: PluginState, msg: string &default="") &priority=-5
 	}
@endif
 # Workers use the events to keep track in their local state tables
@if ( Cluster::local_node_type() != Cluster::MANAGER )
 event rule_new(r: Rule) &priority=5
 	{
 	if ( r$id in rules )
 		return;
 	rules[r$id] = r;
 	rule_entities[r$entity, r$ty] = r;
 	add_subnet_entry(r);
 	}
 event rule_destroyed(r: Rule) &priority=5
 	{
 	if ( r$id !in rules )
 		return;
 	remove_subnet_entry(r);
 	if ( [r$entity, r$ty] in rule_entities )
 		delete rule_entities[r$entity, r$ty];
 	delete rules[r$id];
 	}
@endif
--- a/scripts/base/frameworks/netcontrol/drop.bro
+++ b/scripts/base/frameworks/netcontrol/drop.bro
@ -44,6 +44,12 @@ export {
 		location: string	&log &optional;
 	};
 	## Hook that allows the modification of rules passed to drop_* before they
 	## are passed on. If one of the hooks uses break, the rule is ignored.
 	##
 	## r: The rule to be added
 	global NetControl::drop_rule_policy: hook(r: Rule);
 	## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
 	## record as it is sent on to the logging framework.
 	global log_netcontrol_drop: event(rec: DropInfo);
@ -59,6 +65,9 @@ function drop_connection(c: conn_id, t: interval, location: string &default="")
 	local e: Entity = [$ty=CONNECTION, $conn=c];
 	local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location];
 	if ( ! hook NetControl::drop_rule_policy(r) )
 		return "";
 	local id = add_rule(r);
 	# Error should already be logged
@ -80,6 +89,9 @@ function drop_address(a: addr, t: interval, location: string &default="") : stri
 	local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)];
 	local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location];
 	if ( ! hook NetControl::drop_rule_policy(r) )
 		return "";
 	local id = add_rule(r);
 	# Error should already be logged
--- a/scripts/base/frameworks/netcontrol/main.bro
+++ b/scripts/base/frameworks/netcontrol/main.bro
@ -1,4 +1,4 @@
-##! Bro's packet aquisition and control framework.
+##! Bro's NetControl framework.
 ##!
 ##! This plugin-based framework allows to control the traffic that Bro monitors
 ##! as well as, if having access to the forwarding path, the traffic the network
@ -81,9 +81,11 @@ export {
 	## Returns: The id of the inserted rule on succes and zero on failure.
 	global redirect_flow: function(f: flow_id, out_port: count, t: interval, location: string &default="") : string;
-	## Quarantines a host by redirecting rewriting DNS queries to the network dns server dns
+	## Quarantines a host. This requires a special quarantine server, which runs a HTTP server explaining
-	## to the host. Host has to answer to all queries with its own address. Only http communication
+	## the quarantine and a DNS server which resolves all requests to the quarantine server. DNS queries
-	## from infected to quarantinehost is allowed.
+	## from the host to the network DNS server will be rewritten and will be sent to the quarantine server
 	## instead. Only http communication infected to quarantinehost is allowed. All other network communication
 	## is blocked.
 	##
 	## infected: the host to quarantine
 	##
@ -96,7 +98,7 @@ export {
 	## Returns: Vector of inserted rules on success, empty list on failure.
 	global quarantine_host: function(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string;
-	## Flushes all state.
+	## Flushes all state by calling :bro:see:`NetControl::remove_rule` on all currently active rules.
 	global clear: function();
 	# ###
@ -120,7 +122,7 @@ export {
 	## Removes a rule.
 	##
-	## id: The rule to remove, specified as the ID returned by :bro:id:`NetControl::add_rule`.
+	## id: The rule to remove, specified as the ID returned by :bro:see:`NetControl::add_rule`.
 	##
 	## Returns: True if succesful, the relevant plugin indicated that it knew
 	##          how to handle the removal. Note that again "success" means the
@ -129,8 +131,23 @@ export {
 	##          wrong at that point.
 	global remove_rule: function(id: string) : bool;
 	## Deletes a rule without removing in from the backends to which it has been
 	## added before. This mean that no messages will be sent to the switches to which
 	## the rule has been added; if it is not removed from them by a separate mechanism,
 	## it will stay installed and not be removed later.
 	##
 	## id: The rule to delete, specified as the ID returned by :bro:see:`add_rule` .
 	##
 	## Returns: True if removal is successful, or sent to manager.
 	##          False if the rule could not be found.
 	global delete_rule: function(id: string) : bool;
 	## Searches all rules affecting a certain IP address.
 	##
 	## This function works on both the manager and workers of a cluster. Note that on
 	## the worker, the internal rule variables (starting with _) will not reflect the
 	## current state.
 	##
 	## ip: The ip address to search for
 	##
 	## Returns: vector of all rules affecting the IP address
@ -138,6 +155,18 @@ export {
 	## Searches all rules affecting a certain subnet.
 	##
 	## A rule affects a subnet, if it covers the whole subnet. Note especially that
 	## this function will not reveal all rules that are covered by a subnet.
 	##
 	## For example, a search for 192.168.17.0/8 will reveal a rule that exists for
 	## 192.168.0.0/16, since this rule affects the subnet. However, it will not reveal
 	## a more specific rule for 192.168.17.1/32, which does not directy affect the whole
 	## subnet.
 	##
 	## This function works on both the manager and workers of a cluster. Note that on
 	## the worker, the internal rule variables (starting with _) will not reflect the
 	## current state.
 	##
 	## sn: The subnet to search for
 	##
 	## Returns: vector of all rules affecting the subnet
@ -145,7 +174,7 @@ export {
 	###### Asynchronous feedback on rules.
-	## Confirms that a rule was put in place.
+	## Confirms that a rule was put in place by a plugin.
 	##
 	## r: The rule now in place.
 	##
@ -154,7 +183,21 @@ export {
 	## msg: An optional informational message by the plugin.
 	global rule_added: event(r: Rule, p: PluginState, msg: string &default="");
-	## Reports that a rule was removed due to a remove: function() call.
+	## Signals that a rule that was supposed to be put in place was already
 	## existing at the specified plugin. Rules that already have been existing
 	## continue to be tracked like normal, but no timeout calls will be sent
 	## to the specified plugins. Removal of the rule from the hardware can
 	## still be forced by manually issuing a remove_rule call.
 	##
 	## r: The rule that was already in place.
 	##
 	## p: The plugin that reported that the rule already was in place.
 	##
 	## msg: An optional informational message by the plugin.
 	global rule_exists: event(r: Rule, p: PluginState, msg: string &default="");
 	## Reports that a plugin reports a rule was removed due to a
 	## remove: function() vall.
 	##
 	## r: The rule now removed.
 	##
@ -164,7 +207,7 @@ export {
 	## msg: An optional informational message by the plugin.
 	global rule_removed: event(r: Rule, p: PluginState, msg: string &default="");
-	## Reports that a rule was removed internally due to a timeout.
+	## Reports that a rule was removed from a plugin due to a timeout.
 	##
 	## r: The rule now removed.
 	##
@ -185,6 +228,26 @@ export {
 	## msg: An optional informational message by the plugin.
 	global rule_error: event(r: Rule, p: PluginState, msg: string &default="");
 	## This event is raised when a new rule is created by the NetControl framework
 	## due to a call to add_rule. From this moment, until the rule_destroyed event
 	## is raised, the rule is tracked internally by the NetControl framewory.
 	##
 	## Note that this event does not mean that a rule was succesfully added by
 	## any backend; it just means that the rule has been accepted and addition
 	## to the specified backend is queued. To get information when rules are actually
 	## installed by the hardware, use the rule_added, rule_exists, rule_removed, rule_timeout
 	## and rule_error events.
 	global rule_new: event(r: Rule);
 	## This event is raised when a rule is deleted from the NetControl framework,
 	## because it is no longer in use. This can be caused by the fact that a rule
 	## was removed by all plugins to which it was added, by the fact that it timed out
 	## or due to rule errors.
 	##
 	## To get the cause or a rule remove, hook the rule_removed, rule_timeout and
 	## rule_error calls.
 	global rule_destroyed: event(r: Rule);
 	## Hook that allows the modification of rules passed to add_rule before they
 	## are passed on to the plugins. If one of the hooks uses break, the rule is
 	## ignored and not passed on to any plugin.
@ -206,17 +269,18 @@ export {
 		MESSAGE,
 		## A log entry reflecting a framework message.
 		ERROR,
-		## A log entry about about a rule.
+		## A log entry about a rule.
 		RULE
 	};
 	## State of an entry in the NetControl log.
 	type InfoState: enum {
-		REQUESTED,
+		REQUESTED, ##< The request to add/remove a rule was sent to the respective backend
-		SUCCEEDED,
+		SUCCEEDED, ##< A rule was succesfully added by a backend
-		FAILED,
+		EXISTS, ##< A backend reported that a rule was already existing
-		REMOVED,
+		FAILED, ##< A rule addition failed
-		TIMEOUT,
+		REMOVED, ##< A rule was succesfully removed by a backend
 		TIMEOUT, ##< A rule timeout was triggered by the NetControl framework or a backend
 	};
 	## The record type defining the column fields of the NetControl log.
@ -259,11 +323,13 @@ export {
 }
 redef record Rule += {
-	##< Internally set to the plugins handling the rule.
+	## Internally set to the plugins handling the rule.
 	_plugin_ids: set[count] &default=count_set();
-	##< Internally set to the plugins on which the rule is currently active.
+	## Internally set to the plugins on which the rule is currently active.
 	_active_plugin_ids: set[count] &default=count_set();
-	##< Track if the rule was added succesfully by all responsible plugins.
+	## Internally set to plugins where the rule should not be removed upon timeout.
 	_no_expire_plugins: set[count] &default=count_set();
 	## Track if the rule was added succesfully by all responsible plugins.
 	_added: bool &default=F;
 };
@ -535,6 +601,11 @@ function plugin_activated(p: PluginState)
 		log_error("unknown plugin activated", p);
 		return;
 		}
 	# Suppress duplicate activation
 	if ( plugin_ids[id]$_activated == T )
 		return;
 	plugin_ids[id]$_activated = T;
 	log_msg("activation finished", p);
@ -727,6 +798,8 @@ function add_rule_impl(rule: Rule) : string
 		add_subnet_entry(rule);
 		event NetControl::rule_new(rule);
 		return rule$id;
 		}
@ -734,6 +807,32 @@ function add_rule_impl(rule: Rule) : string
 	return "";
 	}
 function rule_cleanup(r: Rule)
 	{
 	if ( |r$_active_plugin_ids| > 0 )
 		return;
 	remove_subnet_entry(r);
 	delete rule_entities[r$entity, r$ty];
 	delete rules[r$id];
 	event NetControl::rule_destroyed(r);
 	}
 function delete_rule_impl(id: string): bool
 	{
 	if ( id !in rules )
 		return F;
 	local rule = rules[id];
 	rule$_active_plugin_ids = set();
 	rule_cleanup(rule);
 	return T;
 	}
 function remove_rule_plugin(r: Rule, p: PluginState): bool
 	{
 	local success = T;
@ -782,10 +881,21 @@ function rule_expire_impl(r: Rule, p: PluginState) &priority=-5
 		# Removed already.
 		return;
 	local rule = rules[r$id];
 	if ( p$_id in rule$_no_expire_plugins )
 		{
 		# in this case - don't log anything, just remove the plugin from the rule
 		# and cleaup
 		delete rule$_active_plugin_ids[p$_id];
 		delete rule$_no_expire_plugins[p$_id];
 		rule_cleanup(rule);
 		}
 	else
 		event NetControl::rule_timeout(r, FlowInfo(), p); # timeout implementation will handle the removal
 	}
-function rule_added_impl(r: Rule, p: PluginState, msg: string &default="")
+function rule_added_impl(r: Rule, p: PluginState, exists: bool, msg: string &default="")
 	{
 	if ( r$id !in rules )
 		{
@ -801,6 +911,14 @@ function rule_added_impl(r: Rule, p: PluginState, msg: string &default="")
 		return;
 		}
 	# The rule was already existing on the backend. Mark this so we don't timeout
 	# it on this backend.
 	if ( exists )
 		{
 		add rule$_no_expire_plugins[p$_id];
 		log_rule(r, "ADD", EXISTS, p, msg);
 		}
 	else
 		log_rule(r, "ADD", SUCCEEDED, p, msg);
 	add rule$_active_plugin_ids[p$_id];
@ -811,17 +929,6 @@ function rule_added_impl(r: Rule, p: PluginState, msg: string &default="")
 		}
 	}
 function rule_cleanup(r: Rule)
 	{
 	if ( |r$_active_plugin_ids| > 0 )
 		return;
 	remove_subnet_entry(r);
 	delete rule_entities[r$entity, r$ty];
 	delete rules[r$id];
 	}
 function rule_removed_impl(r: Rule, p: PluginState, msg: string &default="")
 	{
 	if ( r$id !in rules )
--- a/scripts/base/frameworks/netcontrol/non-cluster.bro
+++ b/scripts/base/frameworks/netcontrol/non-cluster.bro
@ -12,6 +12,11 @@ function add_rule(r: Rule) : string
 	return add_rule_impl(r);
 	}
 function delete_rule(id: string) : bool
 	{
 	return delete_rule_impl(id);
 	}
 function remove_rule(id: string) : bool
 	{
 	return remove_rule_impl(id);
@ -22,9 +27,17 @@ event rule_expire(r: Rule, p: PluginState) &priority=-5
 	rule_expire_impl(r, p);
 	}
 event rule_exists(r: Rule, p: PluginState, msg: string &default="") &priority=5
 	{
 	rule_added_impl(r, p, T, msg);
 	if ( r?$expire && r$expire > 0secs && ! p$plugin$can_expire )
 		schedule r$expire { rule_expire(r, p) };
 	}
 event rule_added(r: Rule, p: PluginState, msg: string &default="") &priority=5
 	{
-	rule_added_impl(r, p, msg);
+	rule_added_impl(r, p, F, msg);
 	if ( r?$expire && r$expire > 0secs && ! p$plugin$can_expire )
 		schedule r$expire { rule_expire(r, p) };
--- a/scripts/base/frameworks/netcontrol/plugin.bro
+++ b/scripts/base/frameworks/netcontrol/plugin.bro
@ -1,11 +1,13 @@
-##! Plugin interface  for NetControl backends.
+##! This file defines the plugin interface for NetControl.
 module NetControl;
@load ./types
 export {
-	## State for a plugin instance.
+	## This record keeps the per instance state of a plugin.
 	##
 	## Individual plugins commonly extend this record to suit their needs.
 	type PluginState: record {
 		## Table for a plugin to store custom, instance-specfific state. 
 		config: table[string] of string &default=table();
@ -20,66 +22,66 @@ export {
 		_activated: bool &default=F;
 	};
-	# Definition of a plugin.
+	## Definition of a plugin.
-	#
+	##
-	# Generally a plugin needs to implement only what it can support.  By
+	## Generally a plugin needs to implement only what it can support.  By
-	# returning failure, it indicates that it can't support something and the
+	## returning failure, it indicates that it can't support something and the
-	# the framework will then try another plugin, if available; or inform the
+	## the framework will then try another plugin, if available; or inform the
-	# that the operation failed. If a function isn't implemented by a plugin,
+	## that the operation failed. If a function isn't implemented by a plugin,
-	# that's considered an implicit failure to support the operation.
+	## that's considered an implicit failure to support the operation.
-	#
+	##
-	# If plugin accepts a rule operation, it *must* generate one of the reporting
+	## If plugin accepts a rule operation, it *must* generate one of the reporting
-	# events ``rule_{added,remove,error}`` to signal if it indeed worked out;
+	## events ``rule_{added,remove,error}`` to signal if it indeed worked out;
-	# this is separate from accepting the operation because often a plugin
+	## this is separate from accepting the operation because often a plugin
-	# will only know later (i.e., asynchrously) if that was an error for
+	## will only know later (i.e., asynchrously) if that was an error for
-	# something it thought it could handle.
+	## something it thought it could handle.
 	type Plugin: record {
-		# Returns a descriptive name of the plugin instance, suitable for use in logging
+		## Returns a descriptive name of the plugin instance, suitable for use in logging
-		# messages. Note that this function is not optional.
+		## messages. Note that this function is not optional.
 		name: function(state: PluginState) : string;
-		## If true, plugin can expire rules itself. If false,
+		## If true, plugin can expire rules itself. If false, the NetControl
 		## framework will manage rule expiration. 
 		can_expire: bool;
-		# One-time initialization function called when plugin gets registered, and
+		## One-time initialization function called when plugin gets registered, and
-		# before any other methods are called.
+		## before any other methods are called.
-		#
+		##
-		# If this function is provided, NetControl assumes that the plugin has to
+		## If this function is provided, NetControl assumes that the plugin has to
-		# perform, potentially lengthy, initialization before the plugin will become
+		## perform, potentially lengthy, initialization before the plugin will become
-		# active. In this case, the plugin has to call ``NetControl::plugin_activated``,
+		## active. In this case, the plugin has to call ``NetControl::plugin_activated``,
-		# once initialization finishes.
+		## once initialization finishes.
 		init: function(state: PluginState) &optional;
-		# One-time finalization function called when a plugin is shutdown; no further
+		## One-time finalization function called when a plugin is shutdown; no further
-		# functions will be called afterwords.
+		## functions will be called afterwords.
 		done: function(state: PluginState) &optional;
-		# Implements the add_rule() operation. If the plugin accepts the rule,
+		## Implements the add_rule() operation. If the plugin accepts the rule,
-		# it returns true, false otherwise. The rule will already have its
+		## it returns true, false otherwise. The rule will already have its
-		# ``id`` field set, which the plugin may use for identification
+		## ``id`` field set, which the plugin may use for identification
-		# purposes.
+		## purposes.
 		add_rule: function(state: PluginState, r: Rule) : bool &optional;
-		# Implements the remove_rule() operation. This will only be called for
+		## Implements the remove_rule() operation. This will only be called for
-		# rules that the plugins has previously accepted with add_rule(). The
+		## rules that the plugins has previously accepted with add_rule(). The
-		# ``id`` field will match that of the add_rule() call.  Generally,
+		## ``id`` field will match that of the add_rule() call.  Generally,
-		# a plugin that accepts an add_rule() should also accept the
+		## a plugin that accepts an add_rule() should also accept the
-		# remove_rule().
+		## remove_rule().
 		remove_rule: function(state: PluginState, r: Rule) : bool &optional;
-		# A transaction groups a number of operations. The plugin can add them internally
+		## A transaction groups a number of operations. The plugin can add them internally
-		# and postpone putting them into effect until committed. This allows to build a
+		## and postpone putting them into effect until committed. This allows to build a
-		# configuration of multiple rules at once, including replaying a previous state.
+		## configuration of multiple rules at once, including replaying a previous state.
 		transaction_begin: function(state: PluginState) &optional;
 		transaction_end: function(state: PluginState) &optional;
 	};
-	# Table for a plugin to store instance-specific configuration information.
+	## Table for a plugin to store instance-specific configuration information.
-	#
+	##
-	# Note, it would be nicer to pass the Plugin instance to all the below, instead
+	## Note, it would be nicer to pass the Plugin instance to all the below, instead
-	# of this state table. However Bro's type resolver has trouble with refering to a
+	## of this state table. However Bro's type resolver has trouble with refering to a
-	# record type from inside itself.
+	## record type from inside itself.
 	redef record PluginState += {
 		## The plugin that the state belongs to. (Defined separately
 		## because of cyclic type dependency.)
--- a/scripts/base/frameworks/netcontrol/plugins/README
+++ b/scripts/base/frameworks/netcontrol/plugins/README
@ -0,0 +1 @@
 Plugins for the NetControl framework
--- a/scripts/base/frameworks/netcontrol/plugins/acld.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/acld.bro
@ -66,6 +66,7 @@ export {
 	## Events that are sent from Broker to us
 	global acld_rule_added: event(id: count, r: Rule, msg: string);
 	global acld_rule_removed: event(id: count, r: Rule, msg: string);
 	global acld_rule_exists: event(id: count, r: Rule, msg: string);
 	global acld_rule_error: event(id: count, r: Rule, msg: string);
 }
@ -76,7 +77,7 @@ global netcontrol_acld_current_id: count = 0;
 const acld_add_to_remove: table[string] of string = {
 	["drop"] = "restore",
-	["whitelist"] = "remwhitelist",
+	["addwhitelist"] = "remwhitelist",
 	["blockhosthost"] = "restorehosthost",
 	["droptcpport"] = "restoretcpport",
 	["dropudpport"] = "restoreudpport",
@ -100,6 +101,19 @@ event NetControl::acld_rule_added(id: count, r: Rule, msg: string)
 	event NetControl::rule_added(r, p, msg);
 	}
 event NetControl::acld_rule_exists(id: count, r: Rule, msg: string)
 	{
 	if ( id !in netcontrol_acld_id )
 		{
 		Reporter::error(fmt("NetControl acld plugin with id %d not found, aborting", id));
 		return;
 		}
 	local p = netcontrol_acld_id[id];
 	event NetControl::rule_exists(r, p, msg);
 	}
 event NetControl::acld_rule_removed(id: count, r: Rule, msg: string)
 	{
 	if ( id !in netcontrol_acld_id )
@ -155,7 +169,7 @@ function rule_to_acl_rule(p: PluginState, r: Rule) : AclRule
 		if ( r$ty == DROP )
 			command = "drop";
 		else if ( r$ty == WHITELIST )
-			command = "whitelist";
+			command = "addwhitelist";
 		arg = cat(e$ip);
 		}
 	else if ( e$ty == FLOW )
--- a/scripts/base/frameworks/netcontrol/plugins/broker.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/broker.bro
@ -11,18 +11,38 @@ module NetControl;
@ifdef ( Broker::__enable )
 export {
 	## This record specifies the configuration that is passed to :bro:see:`NetControl::create_broker`.
 	type BrokerConfig: record {
 		## The broker topic used to send events to
 		topic: string &optional;
 		## Broker host to connect to
 		host: addr &optional;
 		## Broker port to connect to
 		bport: port &optional;
 		## Do we accept rules for the monitor path? Default true
 		monitor: bool &default=T;
 		## Do we accept rules for the forward path? Default true
 		forward: bool &default=T;
 		## Predicate that is called on rule insertion or removal.
 		##
 		## p: Current plugin state
 		##
 		## r: The rule to be inserted or removed
 		##
 		## Returns: T if the rule can be handled by the current backend, F otherwhise
 		check_pred: function(p: PluginState, r: Rule): bool &optional;
 	};
 	## Instantiates the broker plugin.
-	global create_broker: function(host: addr, host_port: port, topic: string, can_expire: bool &default=F) : PluginState;
+	global create_broker: function(config: BrokerConfig, can_expire: bool) : PluginState;
 	redef record PluginState += {
-		## The broker topic used to send events to
+		## OpenFlow controller for NetControl Broker plugin
-		broker_topic: string &optional;
+		broker_config: BrokerConfig &optional;
 		## The ID of this broker instance - for the mapping to PluginStates
 		broker_id: count &optional;
 		## Broker host to connect to
 		broker_host: addr &optional;
 		## Broker port to connect to
 		broker_port: port &optional;
 	};
 	global broker_add_rule: event(id: count, r: Rule);
@ -30,6 +50,7 @@ export {
 	global broker_rule_added: event(id: count, r: Rule, msg: string);
 	global broker_rule_removed: event(id: count, r: Rule, msg: string);
 	global broker_rule_exists: event(id: count, r: Rule, msg: string);
 	global broker_rule_error: event(id: count, r: Rule, msg: string);
 	global broker_rule_timeout: event(id: count, r: Rule, i: FlowInfo);
 }
@ -52,6 +73,19 @@ event NetControl::broker_rule_added(id: count, r: Rule, msg: string)
 	event NetControl::rule_added(r, p, msg);
 	}
 event NetControl::broker_rule_exists(id: count, r: Rule, msg: string)
 	{
 	if ( id !in netcontrol_broker_id )
 		{
 		Reporter::error(fmt("NetControl broker plugin with id %d not found, aborting", id));
 		return;
 		}
 	local p = netcontrol_broker_id[id];
 	event NetControl::rule_exists(r, p, msg);
 	}
 event NetControl::broker_rule_removed(id: count, r: Rule, msg: string)
 	{
 	if ( id !in netcontrol_broker_id )
@ -93,26 +127,48 @@ event NetControl::broker_rule_timeout(id: count, r: Rule, i: FlowInfo)
 function broker_name(p: PluginState) : string
 	{
-	return fmt("Broker-%s", p$broker_topic);
+	return fmt("Broker-%s", p$broker_config$topic);
 	}
 function broker_check_rule(p: PluginState, r: Rule) : bool
 	{
 	local c = p$broker_config;
 	if ( p$broker_config?$check_pred )
 		return p$broker_config$check_pred(p, r);
 	if ( r$target == MONITOR && c$monitor )
 		return T;
 	if ( r$target == FORWARD && c$forward )
 		return T;
 	return F;
 	}
 function broker_add_rule_fun(p: PluginState, r: Rule) : bool
 	{
-	Broker::send_event(p$broker_topic, Broker::event_args(broker_add_rule, p$broker_id, r));
+	if ( ! broker_check_rule(p, r) )
 		return F;
 	Broker::send_event(p$broker_config$topic, Broker::event_args(broker_add_rule, p$broker_id, r));
 	return T;
 	}
 function broker_remove_rule_fun(p: PluginState, r: Rule) : bool
 	{
-	Broker::send_event(p$broker_topic, Broker::event_args(broker_remove_rule, p$broker_id, r));
+	if ( ! broker_check_rule(p, r) )
 		return F;
 	Broker::send_event(p$broker_config$topic, Broker::event_args(broker_remove_rule, p$broker_id, r));
 	return T;
 	}
 function broker_init(p: PluginState)
 	{
 	Broker::enable();
-	Broker::connect(cat(p$broker_host), p$broker_port, 1sec);
+	Broker::connect(cat(p$broker_config$host), p$broker_config$bport, 1sec);
-	Broker::subscribe_to_events(p$broker_topic);
+	Broker::subscribe_to_events(p$broker_config$topic);
 	}
 event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
@ -140,23 +196,23 @@ global broker_plugin_can_expire = Plugin(
 	$init = broker_init
 	);
-function create_broker(host: addr, host_port: port, topic: string, can_expire: bool &default=F) : PluginState
+function create_broker(config: BrokerConfig, can_expire: bool) : PluginState
 	{
-	if ( topic in netcontrol_broker_topics )
+	if ( config$topic in netcontrol_broker_topics )
-		Reporter::warning(fmt("Topic %s was added to NetControl broker plugin twice. Possible duplication of commands", topic));
+		Reporter::warning(fmt("Topic %s was added to NetControl broker plugin twice. Possible duplication of commands", config$topic));
 	else
-		add netcontrol_broker_topics[topic];
+		add netcontrol_broker_topics[config$topic];
 	local plugin = broker_plugin;
 	if ( can_expire )
 		plugin = broker_plugin_can_expire;
-	local p: PluginState = [$broker_host=host, $broker_port=host_port, $plugin=plugin, $broker_topic=topic, $broker_id=netcontrol_broker_current_id];
+	local p = PluginState($plugin=plugin, $broker_id=netcontrol_broker_current_id, $broker_config=config);
-	if ( [host_port, cat(host)] in netcontrol_broker_peers )
+	if ( [config$bport, cat(config$host)] in netcontrol_broker_peers )
-		Reporter::warning(fmt("Peer %s:%s was added to NetControl broker plugin twice.", host, host_port));
+		Reporter::warning(fmt("Peer %s:%s was added to NetControl broker plugin twice.", config$host, config$bport));
 	else
-		netcontrol_broker_peers[host_port, cat(host)] = p;
+		netcontrol_broker_peers[config$bport, cat(config$host)] = p;
 	netcontrol_broker_id[netcontrol_broker_current_id] = p;
 	++netcontrol_broker_current_id;
--- a/scripts/base/frameworks/netcontrol/plugins/openflow.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/openflow.bro
@ -7,22 +7,46 @@
 module NetControl;
 export {
 	## This record specifies the configuration that is passed to :bro:see:`NetControl::create_openflow`.
 	type OfConfig: record {
-		monitor: bool &default=T;
+		monitor: bool &default=T; ##< accept rules that target the monitor path
-		forward: bool &default=T;
+		forward: bool &default=T; ##< accept rules that target the forward path
-		idle_timeout: count &default=0;
+		idle_timeout: count &default=0; ##< default OpenFlow idle timeout
-		table_id: count &optional;
+		table_id: count &optional; ##< default OpenFlow table ID.
 		priority_offset: int &default=+0; ##< add this to all rule priorities. Can be useful if you want the openflow priorities be offset from the netcontrol priorities without having to write a filter function.
 		## Predicate that is called on rule insertion or removal.
 		##
-		## p: Current plugin state
+		## p: Current plugin state.
 		##
-		## r: The rule to be inserted or removed
+		## r: The rule to be inserted or removed.
 		##
-		## Returns: T if the rule can be handled by the current backend, F otherwhise
+		## Returns: T if the rule can be handled by the current backend, F otherwhise.
 		check_pred: function(p: PluginState, r: Rule): bool &optional;
 		## This predicate is called each time an OpenFlow match record is created.
 		## The predicate can modify the match structure before it is sent on to the
 		## device.
 		##
 		## p: Current plugin state.
 		##
 		## r: The rule to be inserted or removed.
 		##
 		## m: The openflow match structures that were generated for this rules.
 		##
 		## Returns: The modified OpenFlow match structures that will be used in place the structures passed in m.
 		match_pred: function(p: PluginState, e: Entity, m: vector of OpenFlow::ofp_match): vector of OpenFlow::ofp_match &optional;
 		## This predicate is called before an FlowMod message is sent to the OpenFlow
 		## device. It can modify the FlowMod message before it is passed on.
 		##
 		## p: Current plugin state.
 		##
 		## r: The rule to be inserted or removed.
 		##
 		## m: The OpenFlow FlowMod message.
 		##
 		## Returns: The modified FloMod message that is used in lieu of m.
 		flow_mod_pred: function(p: PluginState, r: Rule, m: OpenFlow::ofp_flow_mod): OpenFlow::ofp_flow_mod &optional;
 	};
--- a/scripts/base/frameworks/netcontrol/types.bro
+++ b/scripts/base/frameworks/netcontrol/types.bro
@ -1,30 +1,45 @@
-##! Types used by the NetControl framework.
+##! This file defines the that are used by the NetControl framework.
 ##!
 ##! The most important type defined in this file is :bro:see:`NetControl::Rule`,
 ##! which is used to describe all rules that can be expressed by the NetControl framework. 
 module NetControl;
 export {
 	## The default priority that is used when creating rules.
 	const default_priority: int = +0 &redef;
 	## The default priority that is used when using the high-level functions to
 	## push whitelist entries to the backends (:bro:see:`NetControl::whitelist_address` and
 	## :bro:see:`NetControl::whitelist_subnet`).
 	##
 	## Note that this priority is not automatically used when manually creating rules
 	## that have a :bro:see:`NetControl::RuleType` of :bro:enum:`NetControl::WHITELIST`.
 	const whitelist_priority: int = +5 &redef;
-	## Type of a :bro:id:`Entity` for defining an action.
+	## The EntityType is used in :bro:id:`Entity` for defining the entity that a rule
 	## applies to.
 	type EntityType: enum {
 		ADDRESS,	##< Activity involving a specific IP address.
-		CONNECTION,	##< All of a bi-directional connection's activity.
+		CONNECTION,	##< Activity involving all of a bi-directional connection's activity.
-		FLOW,		##< All of a uni-directional flow's activity. Can contain wildcards.
+		FLOW,		##< Actitivy involving a uni-directional flow's activity. Can contain wildcards.
 		MAC,		##< Activity involving a MAC address.
 	};
-	## Type for defining a flow.
+	## Flow is used in :bro:id:`Entity` together with :bro:enum:`NetControl::FLOW` to specify
 	## a uni-directional flow that a :bro:id:`Rule` applies to.
 	##
 	## If optional fields are not set, they are interpreted as wildcarded.
 	type Flow: record {
 		src_h: subnet &optional;	##< The source IP address/subnet.
 		src_p: port &optional;	##< The source port number.
 		dst_h: subnet &optional;	##< The destination IP address/subnet.
-		dst_p: port &optional;	##< The desintation port number.
+		dst_p: port &optional;	##< The destination port number.
 		src_m: string &optional;	##< The source MAC address.
 		dst_m: string &optional;	##< The destination MAC address.
 	};
-	## Type defining the enity an :bro:id:`Rule` is operating on.
+	## Type defining the entity an :bro:id:`Rule` is operating on.
 	type Entity: record {
 		ty: EntityType;			##< Type of entity.
 		conn: conn_id &optional;	##< Used with :bro:enum:`NetControl::CONNECTION`.
@ -33,32 +48,36 @@ export {
 		mac: string &optional;		##< Used with :bro:enum:`NetControl::MAC`.
 	};
-	## Target of :bro:id:`Rule` action.
+	## The :bro:id`TargetType` defined the target of a :bro:id:`Rule`.
 	##
 	## Rules can either be applied to the forward path, affecting all network traffic, or
 	## on the monitor path, only affecting the traffic that is sent to Bro. The second
 	## is mostly used for shunting, which allows Bro to tell the networking hardware that
 	## it wants to no longer see traffic that it identified as benign.
 	type TargetType: enum {
 		FORWARD,	#< Apply rule actively to traffic on forwarding path.
 		MONITOR,	#< Apply rule passively to traffic sent to Bro for monitoring.
 	};
-	## Type of rules that the framework supports. Each type lists the
+	## Type of rules that the framework supports. Each type lists the extra
 	## :bro:id:`Rule` argument(s) it uses, if any.
 	##
 	## Plugins may extend this type to define their own.
 	type RuleType: enum {
-		## Stop forwarding all packets matching entity.
+		## Stop forwarding all packets matching the entity.
 		##
-		## No arguments.
+		## No additional arguments.
 		DROP,
-		## Begin modifying all packets matching entity.
+		## Modify all packets matching entity. The packets
 		## will be modified according to the `mod` entry of
 		## the rule.
 		##
 		## .. todo::
 		##	Define arguments.
 		MODIFY,
-		## Begin redirecting all packets matching entity.
+		## Redirect all packets matching entity to a different switch port,
 		## given in the `out_port` argument of the rule.
 		##
 		## .. todo::
 		##	c: output port to redirect traffic to.
 		REDIRECT,
 		## Whitelists all packets of an entity, meaning no restrictions will be applied.
--- a/scripts/base/frameworks/notice/actions/drop.bro
+++ b/scripts/base/frameworks/notice/actions/drop.bro
@ -2,13 +2,13 @@
 ##! dropping functionality.
@load ../main
@load base/frameworks/netcontrol
 module Notice;
 export {
 	redef enum Action += {
-		## Drops the address via Drop::drop_address, and generates an
+		## Drops the address via :bro:see:`NetControl::drop_address_catch_release`.
 		## alarm.
 		ACTION_DROP
 	};
@ -23,9 +23,13 @@ hook notice(n: Notice::Info)
 	{
 	if ( ACTION_DROP in n$actions )
 		{
-		#local drop = React::drop_address(n$src, "");
+		local ci = NetControl::get_catch_release_info(n$src);
-		#local addl = drop?$sub ? fmt(" %s", drop$sub) : "";
+		if ( ci$watch_until == double_to_time(0) )
-		#n$dropped = drop$note != Drop::AddressDropIgnored;
+			{
-		#n$msg += fmt(" [%s%s]", drop$note, addl);
+			# we have not seen this one yet. Drop it.
 			local addl = n?$msg ? fmt("ACTION_DROP: %s", n?$msg) : "ACTION_DROP";
 			local res = NetControl::drop_address_catch_release(n$src, addl);
 			n$dropped = res$watch_until != double_to_time(0);
 			}
 		}
 	}
--- a/scripts/base/frameworks/openflow/README
+++ b/scripts/base/frameworks/openflow/README
@ -0,0 +1,2 @@
 The OpenFlow framework exposes the datastructures and functions
 necessary to interface to OpenFlow capable hardware.
--- a/scripts/base/frameworks/openflow/plugins/README
+++ b/scripts/base/frameworks/openflow/plugins/README
@ -0,0 +1 @@
 Plugins for the OpenFlow framework.
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@ -1,4 +1,3 @@
@load base/frameworks/notice
@load base/utils/addrs
@load base/utils/directions-and-hosts
@load base/utils/email
--- a/scripts/policy/protocols/smtp/blocklists.bro
+++ b/scripts/policy/protocols/smtp/blocklists.bro
@ -1,6 +1,7 @@
 ##! Watch for various SPAM blocklist URLs in SMTP error messages.
@load base/protocols/smtp
@load base/frameworks/notice
 module SMTP;
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-06-07-19-22-42
+#open	2016-06-22-22-50-49
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@ -155,14 +155,38 @@ scripts/base/init-default.bro
    scripts/base/frameworks/notice/main.bro
    scripts/base/frameworks/notice/weird.bro
    scripts/base/frameworks/notice/actions/drop.bro
-    scripts/base/frameworks/notice/actions/email_admin.bro
+      scripts/base/frameworks/netcontrol/__load__.bro
-    scripts/base/frameworks/notice/actions/page.bro
+        scripts/base/frameworks/netcontrol/types.bro
-    scripts/base/frameworks/notice/actions/add-geodata.bro
+        scripts/base/frameworks/netcontrol/main.bro
-    scripts/base/frameworks/notice/extend-email/hostnames.bro
+          scripts/base/frameworks/netcontrol/plugin.bro
        scripts/base/frameworks/netcontrol/plugins/__load__.bro
          scripts/base/frameworks/netcontrol/plugins/debug.bro
          scripts/base/frameworks/netcontrol/plugins/openflow.bro
            scripts/base/frameworks/openflow/__load__.bro
              scripts/base/frameworks/openflow/consts.bro
              scripts/base/frameworks/openflow/types.bro
              scripts/base/frameworks/openflow/main.bro
              scripts/base/frameworks/openflow/plugins/__load__.bro
                scripts/base/frameworks/openflow/plugins/ryu.bro
                  scripts/base/utils/json.bro
                scripts/base/frameworks/openflow/plugins/log.bro
                scripts/base/frameworks/openflow/plugins/broker.bro
              scripts/base/frameworks/cluster/__load__.bro
                scripts/base/frameworks/cluster/main.bro
                  scripts/base/frameworks/control/__load__.bro
                    scripts/base/frameworks/control/main.bro
              scripts/base/frameworks/openflow/non-cluster.bro
          scripts/base/frameworks/netcontrol/plugins/packetfilter.bro
          scripts/base/frameworks/netcontrol/plugins/broker.bro
          scripts/base/frameworks/netcontrol/plugins/acld.bro
        scripts/base/frameworks/netcontrol/drop.bro
        scripts/base/frameworks/netcontrol/shunt.bro
        scripts/base/frameworks/netcontrol/catch-and-release.bro
        scripts/base/frameworks/netcontrol/non-cluster.bro
    scripts/base/frameworks/notice/actions/email_admin.bro
    scripts/base/frameworks/notice/actions/page.bro
    scripts/base/frameworks/notice/actions/add-geodata.bro
    scripts/base/frameworks/notice/extend-email/hostnames.bro
    scripts/base/frameworks/notice/non-cluster.bro
    scripts/base/frameworks/notice/actions/pp-alarms.bro
  scripts/base/frameworks/dpd/__load__.bro
@ -196,30 +220,6 @@ scripts/base/init-default.bro
    scripts/base/frameworks/sumstats/non-cluster.bro
  scripts/base/frameworks/tunnels/__load__.bro
    scripts/base/frameworks/tunnels/main.bro
  scripts/base/frameworks/openflow/__load__.bro
    scripts/base/frameworks/openflow/consts.bro
    scripts/base/frameworks/openflow/types.bro
    scripts/base/frameworks/openflow/main.bro
    scripts/base/frameworks/openflow/plugins/__load__.bro
      scripts/base/frameworks/openflow/plugins/ryu.bro
        scripts/base/utils/json.bro
      scripts/base/frameworks/openflow/plugins/log.bro
      scripts/base/frameworks/openflow/plugins/broker.bro
    scripts/base/frameworks/openflow/non-cluster.bro
  scripts/base/frameworks/netcontrol/__load__.bro
    scripts/base/frameworks/netcontrol/types.bro
    scripts/base/frameworks/netcontrol/main.bro
      scripts/base/frameworks/netcontrol/plugin.bro
    scripts/base/frameworks/netcontrol/plugins/__load__.bro
      scripts/base/frameworks/netcontrol/plugins/debug.bro
      scripts/base/frameworks/netcontrol/plugins/openflow.bro
      scripts/base/frameworks/netcontrol/plugins/packetfilter.bro
      scripts/base/frameworks/netcontrol/plugins/broker.bro
      scripts/base/frameworks/netcontrol/plugins/acld.bro
    scripts/base/frameworks/netcontrol/drop.bro
    scripts/base/frameworks/netcontrol/shunt.bro
    scripts/base/frameworks/netcontrol/catch-and-release.bro
    scripts/base/frameworks/netcontrol/non-cluster.bro
  scripts/base/protocols/conn/__load__.bro
    scripts/base/protocols/conn/main.bro
    scripts/base/protocols/conn/contents.bro
@ -311,4 +311,4 @@ scripts/base/init-default.bro
  scripts/base/misc/find-checksum-offloading.bro
  scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2016-06-07-19-22-42
+#close	2016-06-22-22-50-50
--- a/testing/btest/Baseline/coverage.find-bro-logs/out
+++ b/testing/btest/Baseline/coverage.find-bro-logs/out
@ -23,6 +23,7 @@ modbus
 modbus_register_change
 mysql
 net_control
 netcontrol_catch_release
 netcontrol_drop
 netcontrol_shunt
 notice
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-1-drop-with-debug_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-1-drop-with-debug_bro/output
@ -0,0 +1,14 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-1-drop-with-debug.bro
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	NetControl::drop_connection(c$id, 20 secs);
 	}
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-10-use-skeleton_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-10-use-skeleton_bro/output
@ -0,0 +1,14 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-10-use-skeleton.bro
 event NetControl::init()
 	{
 	local skeleton_plugin = NetControl::create_skeleton("");
 	NetControl::activate(skeleton_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	NetControl::drop_connection(c$id, 20 secs);
 	}
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-2-ssh-guesser_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-2-ssh-guesser_bro/output
@ -0,0 +1,20 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-2-ssh-guesser.bro
@load protocols/ssh/detect-bruteforcing
 redef SSH::password_guesses_limit=10;
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 hook Notice::policy(n: Notice::Info)
 	{
 	if ( n$note == SSH::Password_Guessing )
 		NetControl::drop_address(n$src, 60min);
 	}
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-3-ssh-guesser_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-3-ssh-guesser_bro/output
@ -0,0 +1,20 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-3-ssh-guesser.bro
@load protocols/ssh/detect-bruteforcing
 redef SSH::password_guesses_limit=10;
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 hook Notice::policy(n: Notice::Info)
 	{
 	if ( n$note == SSH::Password_Guessing )
 		add n$actions[Notice::ACTION_DROP];
 	}
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-4-drop_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-4-drop_bro/output
@ -0,0 +1,30 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-4-drop.bro
 function our_drop_connection(c: conn_id, t: interval)
 	{
 	# As a first step, create the NetControl::Entity that we want to block
 	local e = NetControl::Entity($ty=NetControl::CONNECTION, $conn=c);
 	# Then, use the entity to create the rule to drop the entity in the forward path
 	local r = NetControl::Rule($ty=NetControl::DROP,
 		$target=NetControl::FORWARD, $entity=e, $expire=t);
 	# Add the rule
 	local id = NetControl::add_rule(r);
 	if ( id == "" )
 		print "Error while dropping";
 	}
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	our_drop_connection(c$id, 20 secs);
 	}
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-5-hook_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-5-hook_bro/output
@ -0,0 +1,26 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-5-hook.bro
 hook NetControl::rule_policy(r: NetControl::Rule)
 	{
 	if ( r$ty == NetControl::DROP &&
 	     r$entity$ty == NetControl::CONNECTION &&
 			 r$entity$conn$orig_h in 192.168.0.0/16 )
 			 {
 			 print "Ignored connection from", r$entity$conn$orig_h;
 			 break;
 			 }
 	}
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	NetControl::drop_connection(c$id, 20 secs);
 	}
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-6-find_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-6-find_bro/output
@ -0,0 +1,21 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-6-find.bro
 event NetControl::init()
 	{
 	local netcontrol_debug = NetControl::create_debug(T);
 	NetControl::activate(netcontrol_debug, 0);
 	}
 event connection_established(c: connection)
 	{
 	if ( |NetControl::find_rules_addr(c$id$orig_h)| > 0 )
 		{
 		print "Rule already exists";
 		return;
 		}
 	NetControl::drop_connection(c$id, 20 secs);
 	print "Rule added";
 	}
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-7-catch-release_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-7-catch-release_bro/output
@ -0,0 +1,14 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-7-catch-release.bro
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	NetControl::drop_address_catch_release(c$id$orig_h);
 	}
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-8-multiple_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-8-multiple_bro/output
@ -0,0 +1,33 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-8-multiple.bro
 function our_openflow_check(p: NetControl::PluginState, r: NetControl::Rule): bool
 	{
 	if ( r$ty == NetControl::DROP &&
 		r$entity$ty == NetControl::ADDRESS &&
 		subnet_width(r$entity$ip) == 32 &&
 		subnet_to_addr(r$entity$ip) in 192.168.17.0/24 )
 		return F;
 	return T;
 	}
 event NetControl::init()
 	{
 	# Add debug plugin with low priority
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	# Instantiate OpenFlow debug plugin with higher priority
 	local of_controller = OpenFlow::log_new(42);
 	local netcontrol_of = NetControl::create_openflow(of_controller, [$check_pred=our_openflow_check]);
 	NetControl::activate(netcontrol_of, 10);
 	}
 event NetControl::init_done()
 	{
 	NetControl::drop_address(10.0.0.1, 1min);
 	NetControl::drop_address(192.168.17.2, 1min);
 	NetControl::drop_address(192.168.18.2, 1min);
 	}
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-9-skeleton_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-9-skeleton_bro/output
@ -0,0 +1,43 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-9-skeleton.bro
 module NetControl;
 export {
 	## Instantiates the plugin.
 	global create_skeleton: function(argument: string) : PluginState;
 }
 function skeleton_name(p: PluginState) : string
 	{
 	return "NetControl skeleton plugin";
 	}
 function skeleton_add_rule_fun(p: PluginState, r: Rule) : bool
 	{
 	print "add", r;
 	event NetControl::rule_added(r, p);
 	return T;
 	}
 	function skeleton_remove_rule_fun(p: PluginState, r: Rule) : bool
 	{
 	print "remove", r;
 	event NetControl::rule_removed(r, p);
 	return T;
 	}
 global skeleton_plugin = Plugin(
 	$name = skeleton_name,
 	$can_expire = F,
 	$add_rule = skeleton_add_rule_fun,
 	$remove_rule = skeleton_remove_rule_fun
 	);
 function create_skeleton(argument: string) : PluginState
 	{
 	local p = PluginState($plugin=skeleton_plugin);
 	return p;
 	}
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#1
@ -0,0 +1,32 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # bro -C -r tls/ecdhe.pcap netcontrol-1-drop-with-debug.bro
      netcontrol debug (Debug-All): init
      netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # cat netcontrol.log
      #separator \x09
      #set_separator	,
      #empty_field	(empty)
      #unset_field	-
      #path	netcontrol
      #open	2016-06-22-22-58-31
      #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
      #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
      0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
      0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
      0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
      1398529018.678276	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::CONNECTION	192.168.18.50/56981<->74.125.239.97/443	-	-	0	20.000000	-	Debug-All
      1398529018.678276	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::CONNECTION	192.168.18.50/56981<->74.125.239.97/443	-	-	0	20.000000	-	Debug-All
      #close	2016-06-22-22-58-31
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#2
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#2
@ -0,0 +1,18 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # cat netcontrol_drop.log
      #separator \x09
      #set_separator	,
      #empty_field	(empty)
      #unset_field	-
      #path	netcontrol_drop
      #open	2016-06-22-22-58-31
      #fields	ts	rule_id	orig_h	orig_p	resp_h	resp_p	expire	location
      #types	time	string	addr	port	addr	port	interval	string
      1398529018.678276	2	192.168.18.50	56981	74.125.239.97	443	20.000000	-
      #close	2016-06-22-22-58-31
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-2-ssh-guesser.bro/btest-doc.sphinx.netcontrol-2-ssh-guesser.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-2-ssh-guesser.bro/btest-doc.sphinx.netcontrol-2-ssh-guesser.bro#1
@ -0,0 +1,32 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # bro -C -r ssh/sshguess.pcap netcontrol-2-ssh-guesser.bro
      netcontrol debug (Debug-All): init
      netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.56.1/32, mac=<uninitialized>], expire=1.0 hr, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # cat netcontrol.log
      #separator \x09
      #set_separator	,
      #empty_field	(empty)
      #unset_field	-
      #path	netcontrol
      #open	2016-06-22-22-58-36
      #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
      #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
      0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
      0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
      0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
      1427726711.398575	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.56.1/32	-	-	0	3600.000000	-	Debug-All
      1427726711.398575	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.56.1/32	-	-	0	3600.000000	-	Debug-All
      #close	2016-06-22-22-58-36
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1
@ -0,0 +1,32 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # bro -C -r ssh/sshguess.pcap netcontrol-3-ssh-guesser.bro
      netcontrol debug (Debug-All): init
      netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.56.1/32, mac=<uninitialized>], expire=10.0 mins, priority=0, location=ACTION_DROP: T, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # cat netcontrol.log
      #separator \x09
      #set_separator	,
      #empty_field	(empty)
      #unset_field	-
      #path	netcontrol
      #open	2016-06-22-22-58-38
      #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
      #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
      0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
      0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
      0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
      1427726711.398575	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.56.1/32	-	-	0	600.000000	ACTION_DROP: T	Debug-All
      1427726711.398575	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.56.1/32	-	-	0	600.000000	ACTION_DROP: T	Debug-All
      #close	2016-06-22-22-58-38
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2
@ -0,0 +1,18 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # cat notice.log
      #separator \x09
      #set_separator	,
      #empty_field	(empty)
      #unset_field	-
      #path	notice
      #open	2016-06-22-22-58-38
      #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
      #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
      1427726711.398575	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	bro	Notice::ACTION_DROP,Notice::ACTION_LOG	3600.000000	T	-	-	-	-	-
      #close	2016-06-22-22-58-38
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-4-drop.bro/btest-doc.sphinx.netcontrol-4-drop.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-4-drop.bro/btest-doc.sphinx.netcontrol-4-drop.bro#1
@ -0,0 +1,32 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # bro -C -r tls/ecdhe.pcap netcontrol-4-drop.bro
      netcontrol debug (Debug-All): init
      netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=<uninitialized>, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # cat netcontrol.log
      #separator \x09
      #set_separator	,
      #empty_field	(empty)
      #unset_field	-
      #path	netcontrol
      #open	2016-06-22-22-58-42
      #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
      #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
      0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
      0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
      0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
      1398529018.678276	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::CONNECTION	192.168.18.50/56981<->74.125.239.97/443	-	-	0	20.000000	-	Debug-All
      1398529018.678276	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::CONNECTION	192.168.18.50/56981<->74.125.239.97/443	-	-	0	20.000000	-	Debug-All
      #close	2016-06-22-22-58-42
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-5-hook.bro/btest-doc.sphinx.netcontrol-5-hook.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-5-hook.bro/btest-doc.sphinx.netcontrol-5-hook.bro#1
@ -0,0 +1,10 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # bro -C -r tls/ecdhe.pcap netcontrol-5-hook.bro
      netcontrol debug (Debug-All): init
      Ignored connection from, 192.168.18.50
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-6-find.bro/btest-doc.sphinx.netcontrol-6-find.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-6-find.bro/btest-doc.sphinx.netcontrol-6-find.bro#1
@ -0,0 +1,12 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # bro -C -r tls/google-duplicate.trace netcontrol-6-find.bro
      netcontrol debug (Debug-All): init
      netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.4.149, orig_p=60623/tcp, resp_h=74.125.239.129, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
      Rule added
      Rule already exists
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#1
@ -0,0 +1,10 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # bro -C -r tls/ecdhe.pcap netcontrol-7-catch-release.bro
      netcontrol debug (Debug-All): init
      netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=10.0 mins, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#2
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#2
@ -0,0 +1,19 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # cat netcontrol_catch_release.log
      #separator \x09
      #set_separator	,
      #empty_field	(empty)
      #unset_field	-
      #path	netcontrol_catch_release
      #open	2016-06-22-22-58-49
      #fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message
      #types	time	string	addr	enum	interval	interval	time	time	count	string	string
      1398529018.678276	2	192.168.18.50	NetControl::DROP	600.000000	3600.000000	1398529618.678276	1398532618.678276	1	-	-
      1398529018.678276	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	1398529618.678276	1398532618.678276	1	-	-
      #close	2016-06-22-22-58-49
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#1
@ -0,0 +1,10 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # bro netcontrol-8-multiple.bro
      netcontrol debug (Debug-All): init
      netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.17.2/32, mac=<uninitialized>], expire=1.0 min, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#2
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#2
@ -0,0 +1,28 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # cat netcontrol.log
      #separator \x09
      #set_separator	,
      #empty_field	(empty)
      #unset_field	-
      #path	netcontrol
      #open	2016-06-22-22-58-52
      #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
      #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
      1466636332.844326	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
      1466636332.844326	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
      1466636332.844326	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 10	-	-	-	Openflow-Log-42
      1466636332.844326	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Openflow-Log-42
      1466636332.844326	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
      1466636332.844326	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.0.0.1/32	-	-	0	60.000000	-	Openflow-Log-42
      1466636332.844326	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.17.2/32	-	-	0	60.000000	-	Debug-All
      1466636332.844326	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.2/32	-	-	0	60.000000	-	Openflow-Log-42
      1466636332.844326	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.17.2/32	-	-	0	60.000000	-	Debug-All
      1466636332.844326	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.0.0.1/32	-	-	0	60.000000	-	Openflow-Log-42
      1466636332.844326	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.2/32	-	-	0	60.000000	-	Openflow-Log-42
      #close	2016-06-22-22-58-52
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#3
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#3
@ -0,0 +1,21 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # cat openflow.log
      #separator \x09
      #set_separator	,
      #empty_field	(empty)
      #unset_field	-
      #path	openflow
      #open	2016-06-22-22-58-52
      #fields	ts	dpid	match.in_port	match.dl_src	match.dl_dst	match.dl_vlan	match.dl_vlan_pcp	match.dl_type	match.nw_tos	match.nw_proto	match.nw_src	match.nw_dst	match.tp_src	match.tp_dst	flow_mod.cookie	flow_mod.table_id	flow_mod.command	flow_mod.idle_timeout	flow_mod.hard_timeout	flow_mod.priority	flow_mod.out_port	flow_mod.out_group	flow_mod.flags	flow_mod.actions.out_ports	flow_mod.actions.vlan_vid	flow_mod.actions.vlan_pcp	flow_mod.actions.vlan_strip	flow_mod.actions.dl_src	flow_mod.actions.dl_dst	flow_mod.actions.nw_tos	flow_mod.actions.nw_src	flow_mod.actions.nw_dst	flow_mod.actions.tp_src	flow_mod.actions.tp_dst
      #types	time	count	count	string	string	count	count	count	count	count	subnet	subnet	count	count	count	count	enum	count	count	count	count	count	count	vector[count]	count	count	bool	string	string	count	addr	addr	count	count
      1466636332.844326	42	-	-	-	-	-	2048	-	-	10.0.0.1/32	-	-	-	4398046511108	-	OpenFlow::OFPFC_ADD	0	60	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
      1466636332.844326	42	-	-	-	-	-	2048	-	-	-	10.0.0.1/32	-	-	4398046511109	-	OpenFlow::OFPFC_ADD	0	60	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
      1466636332.844326	42	-	-	-	-	-	2048	-	-	192.168.18.2/32	-	-	-	4398046511112	-	OpenFlow::OFPFC_ADD	0	60	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
      1466636332.844326	42	-	-	-	-	-	2048	-	-	-	192.168.18.2/32	-	-	4398046511113	-	OpenFlow::OFPFC_ADD	0	60	0	-	-	1	(empty)	-	-	F	-	-	-	-	-	-	-
      #close	2016-06-22-22-58-52
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#4
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#4
@ -0,0 +1,15 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # bro -C -r tls/ecdhe.pcap netcontrol-10-use-skeleton.bro
      add, [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={
      }, _active_plugin_ids={
      }, _no_expire_plugins={
      }, _added=F]
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-9-skeleton.bro/btest-doc.sphinx.netcontrol-9-skeleton.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-9-skeleton.bro/btest-doc.sphinx.netcontrol-9-skeleton.bro#1
@ -0,0 +1,15 @@
 .. rst-class:: btest-cmd
    .. code-block:: none
      :linenos:
      :emphasize-lines: 1,1
      # bro -C -r tls/ecdhe.pcap netcontrol-10-use-skeleton.bro
      add, [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={
      }, _active_plugin_ids={
      }, _no_expire_plugins={
      }, _added=F]
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -172,6 +172,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=intel, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=kerberos, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_catch_release, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_drop, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_shunt, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@ -212,6 +213,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel, path=intel])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (KRB::LOG, [columns=<no value description>, ev=KRB::log_krb, path=kerberos])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::CATCH_RELEASE, [columns=<no value description>, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::DROP, [columns=<no value description>, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::LOG, [columns=<no value description>, ev=NetControl::log_netcontrol, path=netcontrol])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::SHUNT, [columns=<no value description>, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) -> <no result>
@ -238,7 +240,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1466636352.007236, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@ -253,6 +255,7 @@
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Intel::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (KRB::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Modbus::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (NetControl::CATCH_RELEASE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (NetControl::DROP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (NetControl::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (NetControl::SHUNT)) -> <no result>
@ -293,6 +296,7 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@ -333,6 +337,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel, path=intel])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (KRB::LOG, [columns=<no value description>, ev=KRB::log_krb, path=kerberos])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::CATCH_RELEASE, [columns=<no value description>, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::DROP, [columns=<no value description>, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::LOG, [columns=<no value description>, ev=NetControl::log_netcontrol, path=netcontrol])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::SHUNT, [columns=<no value description>, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) -> <no result>
@ -359,7 +364,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1466636352.007236, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@ -392,7 +397,7 @@
 0.000000   MetaHookPost  CallFunction(reading_live_traffic, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_traces, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$)) -> <no result>
-0.000000   MetaHookPost  CallFunction(strftime, <frame>, (%Y, 1466281781.048782)) -> <no result>
+0.000000   MetaHookPost  CallFunction(strftime, <frame>, (%Y, 1466636352.006823)) -> <no result>
 0.000000   MetaHookPost  CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F)) -> <no result>
 0.000000   MetaHookPost  CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, )) -> <no result>
 0.000000   MetaHookPost  CallFunction(to_count, <frame>, (2016)) -> <no result>
@ -834,6 +839,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=intel, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=kerberos, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_catch_release, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_drop, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_shunt, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@ -874,6 +880,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel, path=intel]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (KRB::LOG, [columns=<no value description>, ev=KRB::log_krb, path=kerberos]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::CATCH_RELEASE, [columns=<no value description>, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::DROP, [columns=<no value description>, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::LOG, [columns=<no value description>, ev=NetControl::log_netcontrol, path=netcontrol]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::SHUNT, [columns=<no value description>, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt]))
@ -900,7 +907,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1466636352.007236, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@ -915,6 +922,7 @@
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Intel::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (KRB::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Modbus::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (NetControl::CATCH_RELEASE))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (NetControl::DROP))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (NetControl::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (NetControl::SHUNT))
@ -955,6 +963,7 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@ -995,6 +1004,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel, path=intel]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (KRB::LOG, [columns=<no value description>, ev=KRB::log_krb, path=kerberos]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::CATCH_RELEASE, [columns=<no value description>, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::DROP, [columns=<no value description>, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::LOG, [columns=<no value description>, ev=NetControl::log_netcontrol, path=netcontrol]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::SHUNT, [columns=<no value description>, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt]))
@ -1021,7 +1031,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1466636352.007236, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@ -1054,7 +1064,7 @@
 0.000000   MetaHookPre   CallFunction(reading_live_traffic, <frame>, ())
 0.000000   MetaHookPre   CallFunction(reading_traces, <frame>, ())
 0.000000   MetaHookPre   CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$))
-0.000000   MetaHookPre   CallFunction(strftime, <frame>, (%Y, 1466281781.048782))
+0.000000   MetaHookPre   CallFunction(strftime, <frame>, (%Y, 1466636352.006823))
 0.000000   MetaHookPre   CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F))
 0.000000   MetaHookPre   CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, ))
 0.000000   MetaHookPre   CallFunction(to_count, <frame>, (2016))
@ -1495,6 +1505,7 @@
 0.000000 | HookCallFunction Log::__add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=intel, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=kerberos, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_catch_release, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_drop, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_shunt, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
@ -1535,6 +1546,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Intel::LOG, [columns=<no value description>, ev=Intel::log_intel, path=intel])
 0.000000 | HookCallFunction Log::__create_stream(KRB::LOG, [columns=<no value description>, ev=KRB::log_krb, path=kerberos])
 0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus])
 0.000000 | HookCallFunction Log::__create_stream(NetControl::CATCH_RELEASE, [columns=<no value description>, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])
 0.000000 | HookCallFunction Log::__create_stream(NetControl::DROP, [columns=<no value description>, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])
 0.000000 | HookCallFunction Log::__create_stream(NetControl::LOG, [columns=<no value description>, ev=NetControl::log_netcontrol, path=netcontrol])
 0.000000 | HookCallFunction Log::__create_stream(NetControl::SHUNT, [columns=<no value description>, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])
@ -1561,7 +1573,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1466636352.007236, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@ -1576,6 +1588,7 @@
 0.000000 | HookCallFunction Log::add_default_filter(Intel::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(KRB::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Modbus::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(NetControl::CATCH_RELEASE)
 0.000000 | HookCallFunction Log::add_default_filter(NetControl::DROP)
 0.000000 | HookCallFunction Log::add_default_filter(NetControl::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(NetControl::SHUNT)
@ -1616,6 +1629,7 @@
 0.000000 | HookCallFunction Log::add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
@ -1656,6 +1670,7 @@
 0.000000 | HookCallFunction Log::create_stream(Intel::LOG, [columns=<no value description>, ev=Intel::log_intel, path=intel])
 0.000000 | HookCallFunction Log::create_stream(KRB::LOG, [columns=<no value description>, ev=KRB::log_krb, path=kerberos])
 0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus])
 0.000000 | HookCallFunction Log::create_stream(NetControl::CATCH_RELEASE, [columns=<no value description>, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])
 0.000000 | HookCallFunction Log::create_stream(NetControl::DROP, [columns=<no value description>, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])
 0.000000 | HookCallFunction Log::create_stream(NetControl::LOG, [columns=<no value description>, ev=NetControl::log_netcontrol, path=netcontrol])
 0.000000 | HookCallFunction Log::create_stream(NetControl::SHUNT, [columns=<no value description>, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])
@ -1682,7 +1697,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1466636352.007236, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@ -1715,7 +1730,7 @@
 0.000000 | HookCallFunction reading_live_traffic()
 0.000000 | HookCallFunction reading_traces()
 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$)
-0.000000 | HookCallFunction strftime(%Y, 1466281781.048782)
+0.000000 | HookCallFunction strftime(%Y, 1466636352.006823)
 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F)
 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, )
 0.000000 | HookCallFunction to_count(2016)
@ -1730,7 +1745,8 @@
 0.000000 | HookQueueEvent filter_change_tracking()
 1362692526.869344   MetaHookPost  BroObjDtor(<void ptr>) -> <void>
 1362692526.869344   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <no result>
-1362692526.869344   MetaHookPost  CallFunction(NetControl::check_conn, <frame>, (141.142.228.5)) -> <no result>
+1362692526.869344   MetaHookPost  CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5)) -> <no result>
 1362692526.869344   MetaHookPost  CallFunction(addr_to_subnet, <frame>, (141.142.228.5)) -> <no result>
 1362692526.869344   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
 1362692526.869344   MetaHookPost  CallFunction(get_net_stats, <frame>, ()) -> <no result>
 1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
@ -1741,7 +1757,8 @@
 1362692526.869344   MetaHookPost  UpdateNetworkTime(1362692526.869344) -> <void>
 1362692526.869344   MetaHookPre   BroObjDtor(<void ptr>)
 1362692526.869344   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
-1362692526.869344   MetaHookPre   CallFunction(NetControl::check_conn, <frame>, (141.142.228.5))
+1362692526.869344   MetaHookPre   CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5))
 1362692526.869344   MetaHookPre   CallFunction(addr_to_subnet, <frame>, (141.142.228.5))
 1362692526.869344   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
 1362692526.869344   MetaHookPre   CallFunction(get_net_stats, <frame>, ())
 1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
@ -1753,7 +1770,8 @@
 1362692526.869344  | HookBroObjDtor
 1362692526.869344  | HookUpdateNetworkTime 1362692526.869344
 1362692526.869344 | HookCallFunction ChecksumOffloading::check()
-1362692526.869344 | HookCallFunction NetControl::check_conn(141.142.228.5)
+1362692526.869344 | HookCallFunction NetControl::catch_release_seen(141.142.228.5)
 1362692526.869344 | HookCallFunction addr_to_subnet(141.142.228.5)
 1362692526.869344 | HookCallFunction filter_change_tracking()
 1362692526.869344 | HookCallFunction get_net_stats()
 1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
@ -1762,15 +1780,21 @@
 1362692526.869344 | HookQueueEvent filter_change_tracking()
 1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.869344 | RequestObjDtor ChecksumOffloading::check()
 1362692526.939084   MetaHookPost  CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5)) -> <no result>
 1362692526.939084   MetaHookPost  CallFunction(addr_to_subnet, <frame>, (141.142.228.5)) -> <no result>
 1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692526.939084   MetaHookPost  DrainEvents() -> <void>
 1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.939084   MetaHookPost  UpdateNetworkTime(1362692526.939084) -> <void>
 1362692526.939084   MetaHookPre   CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5))
 1362692526.939084   MetaHookPre   CallFunction(addr_to_subnet, <frame>, (141.142.228.5))
 1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   DrainEvents()
 1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   UpdateNetworkTime(1362692526.939084)
 1362692526.939084  | HookUpdateNetworkTime 1362692526.939084
 1362692526.939084 | HookCallFunction NetControl::catch_release_seen(141.142.228.5)
 1362692526.939084 | HookCallFunction addr_to_subnet(141.142.228.5)
 1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.939084 | HookDrainEvents
 1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
@ -0,0 +1,25 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol
 #open	2016-03-24-22-04-41
 #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
 #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Acld-bro/event/netcontroltest
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	waiting for plugins to initialize	-	-	-	-
 1458857080.863419	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Acld-bro/event/netcontroltest
 1458857080.863419	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
 1458857080.887618	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
 1458857080.887618	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
 1458857080.887618	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
 1458857080.888169	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	blockhosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
 1458857080.888169	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
 1458857080.888169	3	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	droptcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
 1458857080.888169	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
 1458857080.888169	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	drop	0	36000.000000	-	Acld-bro/event/netcontroltest
 1458857080.888169	4	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
 1458857080.888169	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	restorehosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
 1458857080.888169	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	restoretcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
 1458857080.888169	4	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	restore	0	36000.000000	-	Acld-bro/event/netcontroltest
 #close	2016-03-24-22-04-41
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
@ -1,6 +1,6 @@
 Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
 rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
-rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule exists, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
 rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/worker-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/worker-1..stdout
@ -0,0 +1,4 @@
 Rule added, worker-1:2, 2
 Rule added, worker-1:3, 3
 1
 Rule destroyed, worker-1:3, 3, 0
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/worker-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/worker-2..stdout
@ -0,0 +1,3 @@
 Rule added, worker-2:2, 4
 Rule added, worker-2:3, 5
 1
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/.stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic/.stdout
@ -1,11 +1,11 @@
 netcontrol debug (Debug-All): init
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::MONITOR, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.17.1/32, src_p=32/tcp, dst_h=192.168.17.2/32, dst_p=32/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::MONITOR, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.17.1/32, src_p=32/tcp, dst_h=192.168.17.2/32, dst_p=32/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=1.1.2.2/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=Hi there, out_port=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=1.1.2.2/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=Hi there, out_port=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::WHITELIST, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=1.2.3.4/32, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, out_port=<uninitialized>, mod=<uninitialized>, id=4, cid=4, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::WHITELIST, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=1.2.3.4/32, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, out_port=<uninitialized>, mod=<uninitialized>, id=4, cid=4, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::REDIRECT, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.17.1/32, src_p=32/tcp, dst_h=192.168.17.2/32, dst_p=32/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, out_port=5, mod=<uninitialized>, id=5, cid=5, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::REDIRECT, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.17.1/32, src_p=32/tcp, dst_h=192.168.17.2/32, dst_p=32/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, out_port=5, mod=<uninitialized>, id=5, cid=5, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=127.0.0.2/32, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=6, cid=6, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=127.0.0.2/32, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=6, cid=6, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::MODIFY, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=127.0.0.2/32, src_p=<uninitialized>, dst_h=8.8.8.8/32, dst_p=53/udp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, out_port=<uninitialized>, mod=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=127.0.0.3, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>, redirect_port=<uninitialized>], id=7, cid=7, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::MODIFY, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=127.0.0.2/32, src_p=<uninitialized>, dst_h=8.8.8.8/32, dst_p=53/udp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, out_port=<uninitialized>, mod=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=127.0.0.3, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>, redirect_port=<uninitialized>], id=7, cid=7, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::MODIFY, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=8.8.8.8/32, src_p=53/udp, dst_h=127.0.0.2/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, out_port=<uninitialized>, mod=[src_h=8.8.8.8, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>, redirect_port=<uninitialized>], id=8, cid=8, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::MODIFY, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=8.8.8.8/32, src_p=53/udp, dst_h=127.0.0.2/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, out_port=<uninitialized>, mod=[src_h=8.8.8.8, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>, redirect_port=<uninitialized>], id=8, cid=8, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::WHITELIST, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=127.0.0.2/32, src_p=<uninitialized>, dst_h=127.0.0.3/32, dst_p=80/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, out_port=<uninitialized>, mod=<uninitialized>, id=9, cid=9, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::WHITELIST, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=127.0.0.2/32, src_p=<uninitialized>, dst_h=127.0.0.3/32, dst_p=80/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=5, location=, out_port=<uninitialized>, mod=<uninitialized>, id=9, cid=9, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::MAC, conn=<uninitialized>, flow=<uninitialized>, ip=<uninitialized>, mac=FF:FF:FF:FF:FF:FF], expire=15.0 secs, priority=0, location=<uninitialized>, out_port=<uninitialized>, mod=<uninitialized>, id=10, cid=10, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::MAC, conn=<uninitialized>, flow=<uninitialized>, ip=<uninitialized>, mac=FF:FF:FF:FF:FF:FF], expire=15.0 secs, priority=0, location=<uninitialized>, out_port=<uninitialized>, mod=<uninitialized>, id=10, cid=10, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=<uninitialized>, src_m=FF:FF:FF:FF:FF:FF, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=0, location=<uninitialized>, out_port=<uninitialized>, mod=<uninitialized>, id=11, cid=11, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=<uninitialized>, src_m=FF:FF:FF:FF:FF:FF, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=15.0 secs, priority=0, location=<uninitialized>, out_port=<uninitialized>, mod=<uninitialized>, id=11, cid=11, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/recv.recv.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/recv.recv.out
@ -1,5 +1,4 @@
 Broker::incoming_connection_established
 add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 add_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP
 remove_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 remove_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.netcontrol.log
@ -3,21 +3,18 @@
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol
-#open	2016-03-08-22-15-15
+#open	2016-03-24-22-00-58
 #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
 #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Broker-bro/event/netcontroltest
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	waiting for plugins to initialize	-	-	-	-
-1457475314.791475	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Broker-bro/event/netcontroltest
+1458856858.169980	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Broker-bro/event/netcontroltest
-1457475314.791475	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+1458856858.169980	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
-1457475315.175411	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1458856858.553916	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
-1457475315.175411	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1458856858.553916	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
-1457475315.175443	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1458856858.553948	2	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
-1457475315.175443	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1458856858.553948	2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
-1457475315.175443	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1458856858.553948	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
-1457475315.175443	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1458856858.553948	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
-1457475315.175443	2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1458856858.553948	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
-1457475315.175443	2	NetControl::ERROR	-	-	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	Removal of non-existing rule	0	36000.000000	-	Broker-bro/event/netcontroltest
+#close	2016-03-24-22-00-59
 1457475315.175443	3	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
 1457475315.175443	3	NetControl::ERROR	-	-	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	Removal of non-existing rule	0	36000.000000	-	Broker-bro/event/netcontroltest
 #close	2016-03-08-22-15-15
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.send.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.send.out
@ -1,7 +1,5 @@
 Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
-rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule exists, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP
 rule timeout, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [duration=<uninitialized>, packet_count=<uninitialized>, byte_count=<uninitialized>]
-rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP
 rule timeout, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP, [duration=<uninitialized>, packet_count=<uninitialized>, byte_count=<uninitialized>]
 rule removed, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-2/netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-2/netcontrol.log
@ -0,0 +1,18 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol
 #open	2016-05-31-18-51-29
 #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
 #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
 1398529018.678276	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	120.000000	-	Debug-All
 1398529018.678276	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	120.000000	-	Debug-All
 1398529018.678276	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	3600.000000	Re-drop by catch-and-release: test drop	Debug-All
 1398529018.678276	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	3600.000000	Re-drop by catch-and-release: test drop	Debug-All
 1398529018.678276	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	86400.000000	Re-drop by catch-and-release: test drop	Debug-All
 1398529018.678276	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	86400.000000	Re-drop by catch-and-release: test drop	Debug-All
 #close	2016-05-31-18-51-29
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-2/netcontrol_catch_release.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-2/netcontrol_catch_release.log
@ -0,0 +1,15 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol_catch_release
 #open	2016-05-31-18-51-29
 #fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message
 #types	time	string	addr	enum	interval	interval	time	time	count	string	string
 1398529018.678276	2	192.168.18.50	NetControl::ADDED	600.000000	3600.000000	-	1398532618.678276	1	test drop	Address already blocked outside of catch-and-release. Catch and release will monitor and only actively block if it appears in network traffic.
 1398529018.678276	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	-	1398532618.678276	1	test drop	-
 1398529018.678276	3	192.168.18.50	NetControl::SEEN_AGAIN	3600.000000	86400.000000	1398532618.678276	1398615418.678276	2	test drop	-
 1398529018.678276	3	192.168.18.50	NetControl::DROPPED	3600.000000	86400.000000	1398532618.678276	1398615418.678276	2	test drop	-
 1398529018.678276	4	192.168.18.50	NetControl::SEEN_AGAIN	86400.000000	604800.000000	1398615418.678276	1399133818.678276	3	test drop	-
 1398529018.678276	4	192.168.18.50	NetControl::DROPPED	86400.000000	604800.000000	1398615418.678276	1399133818.678276	3	test drop	-
 #close	2016-05-31-18-51-29
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log
@ -0,0 +1,23 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol
 #open	2016-05-31-18-51-46
 #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
 #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
 1464720706.881330	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
 1464720706.881330	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
 1464720706.881330	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
 1464720710.013657	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	Debug-All
 1464720710.013657	worker-1:2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	-	Debug-All
 1464720710.013657	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	Debug-All
 1464720710.013657	worker-1:2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	-	Debug-All
 1464720710.113687	worker-1:2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	-	Debug-All
 1464720710.113687	worker-1:2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	-	Debug-All
 1464720710.113687	worker-1:2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	-	Debug-All
 1464720711.498477	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	Debug-All
 1464720711.498477	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	Debug-All
 1464720711.498477	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	3600.000000	Re-drop by catch-and-release: 	Debug-All
 1464720711.498477	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	3600.000000	Re-drop by catch-and-release: 	Debug-All
 #close	2016-05-31-18-51-51
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log
@ -0,0 +1,18 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol_catch_release
 #open	2016-05-26-23-42-58
 #fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message
 #types	time	string	addr	enum	interval	interval	time	time	count	string	string
 1464306178.277359	2	192.168.18.50	NetControl::DROP	600.000000	3600.000000	1464306778.277359	1464309778.277359	1	-	-
 1464306178.277359	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	1464306778.277359	1464309778.277359	1	-	-
 1464306178.277359	worker-1:2	8.8.8.8	NetControl::ADDED	600.000000	3600.000000	-	1464309778.277359	1	-	Address already blocked outside of catch-and-release. Catch and release will monitor and only actively block if it appears in network traffic.
 1464306178.378183	worker-1:2	8.8.8.8	NetControl::UNBLOCK	600.000000	3600.000000	-	1464309778.277359	1	-	-
 1464306179.270933	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	1464306778.277359	1464309778.277359	1	-	Block seen while in rule_entities. No action taken.
 1464306179.270933	2	192.168.18.50	NetControl::UNBLOCK	600.000000	3600.000000	1464306778.277359	1464309778.277359	1	-	-
 1464306179.270933	4	8.8.8.8	NetControl::SEEN_AGAIN	3600.000000	86400.000000	1464309779.270933	1464392579.270933	2	-	-
 1464306179.270933	4	8.8.8.8	NetControl::DROPPED	3600.000000	86400.000000	1464309779.270933	1464392579.270933	2	-	-
 1464306177.678733	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	1464306778.277359	1464309778.277359	1	-	Already blocked using catch-and-release - ignoring duplicate
 #close	2016-05-26-23-42-59
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout
@ -0,0 +1,8 @@
 Suspend, worker-2
 New block, 192.168.18.50, [block_until=1464306778.277359, watch_until=1464309778.277359, num_reblocked=0, current_interval=0, current_block_id=2, location=<uninitialized>]
 New block, 8.8.8.8, [block_until=<uninitialized>, watch_until=1464309778.277359, num_reblocked=0, current_interval=0, current_block_id=worker-1:2, location=<uninitialized>]
 Resume, worker-2
 Connection established
 Info, [block_until=1464306778.277359, watch_until=1464309778.277359, num_reblocked=0, current_interval=0, current_block_id=2, location=<uninitialized>]
 Delete block, 192.168.18.50
 New block, 8.8.8.8, [block_until=1464309779.270933, watch_until=1464392579.270933, num_reblocked=1, current_interval=1, current_block_id=4, location=<uninitialized>]
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release/netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release/netcontrol.log
@ -3,16 +3,22 @@
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol
-#open	2016-03-09-23-42-34
+#open	2016-05-31-18-51-24
 #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
 #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
 1398529018.678276	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	Debug-All
 1398529018.678276	3	NetControl::RULE	-	NetControl::FAILED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	discarded duplicate insertion	0	3600.000000	Re-drop by catch-and-release	-
 1398529018.678276	4	NetControl::RULE	-	NetControl::FAILED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	discarded duplicate insertion	0	86400.000000	Re-drop by catch-and-release	-
 1398529018.678276	5	NetControl::RULE	-	NetControl::FAILED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	discarded duplicate insertion	0	604800.000000	Re-drop by catch-and-release	-
 1398529018.678276	6	NetControl::RULE	-	NetControl::FAILED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	discarded duplicate insertion	0	604800.000000	Re-drop by catch-and-release	-
 1398529018.678276	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	Debug-All
-#close	2016-03-09-23-42-34
+1398529018.678276	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	3600.000000	Re-drop by catch-and-release: 	Debug-All
 1398529018.678276	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	3600.000000	Re-drop by catch-and-release: 	Debug-All
 1398529018.678276	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	86400.000000	Re-drop by catch-and-release: 	Debug-All
 1398529018.678276	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	86400.000000	Re-drop by catch-and-release: 	Debug-All
 1398529018.678276	5	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	Debug-All
 1398529018.678276	5	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	Debug-All
 1398529018.678276	6	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	Debug-All
 1398529018.678276	6	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	Debug-All
 1398529018.678276	7	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	Debug-All
 1398529018.678276	7	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	Debug-All
 #close	2016-05-31-18-51-24
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release/netcontrol_catch_release.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release/netcontrol_catch_release.log
@ -0,0 +1,22 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol_catch_release
 #open	2016-05-26-23-20-44
 #fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message
 #types	time	string	addr	enum	interval	interval	time	time	count	string	string
 1398529018.678276	2	192.168.18.50	NetControl::DROP	600.000000	3600.000000	1398529618.678276	1398532618.678276	1	-	-
 1398529018.678276	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	1398529618.678276	1398532618.678276	1	-	Already blocked using catch-and-release - ignoring duplicate
 1398529018.678276	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	1398529618.678276	1398532618.678276	1	-	-
 1398529018.678276	3	192.168.18.50	NetControl::SEEN_AGAIN	3600.000000	86400.000000	1398532618.678276	1398615418.678276	2	-	-
 1398529018.678276	3	192.168.18.50	NetControl::DROPPED	3600.000000	86400.000000	1398532618.678276	1398615418.678276	2	-	-
 1398529018.678276	4	192.168.18.50	NetControl::SEEN_AGAIN	86400.000000	604800.000000	1398615418.678276	1399133818.678276	3	-	-
 1398529018.678276	4	192.168.18.50	NetControl::DROPPED	86400.000000	604800.000000	1398615418.678276	1399133818.678276	3	-	-
 1398529018.678276	5	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	1399133818.678276	1399133818.678276	4	-	-
 1398529018.678276	5	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	1399133818.678276	1399133818.678276	4	-	-
 1398529018.678276	6	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	1399133818.678276	1399133818.678276	5	-	-
 1398529018.678276	6	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	1399133818.678276	1399133818.678276	5	-	-
 1398529018.678276	7	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	1399133818.678276	1399133818.678276	6	-	-
 1398529018.678276	7	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	1399133818.678276	1399133818.678276	6	-	-
 #close	2016-05-26-23-20-44
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.delete-internal-state/.stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.delete-internal-state/.stdout
@ -1,12 +1,12 @@
 netcontrol debug (Debug-All): init
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::MONITOR, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=56981/tcp, dst_h=74.125.239.97/32, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::MONITOR, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=56981/tcp, dst_h=74.125.239.97/32, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::WHITELIST, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=0 secs, priority=5, location=, out_port=<uninitialized>, mod=<uninitialized>, id=4, cid=4, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::WHITELIST, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=0 secs, priority=5, location=, out_port=<uninitialized>, mod=<uninitialized>, id=4, cid=4, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
-netcontrol debug (Debug-All): add_rule: [ty=NetControl::REDIRECT, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=56981/tcp, dst_h=74.125.239.97/32, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=5, mod=<uninitialized>, id=5, cid=5, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _added=F]
+netcontrol debug (Debug-All): add_rule: [ty=NetControl::REDIRECT, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=56981/tcp, dst_h=74.125.239.97/32, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=5, mod=<uninitialized>, id=5, cid=5, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
-netcontrol debug (Debug-All): remove_rule: [ty=NetControl::DROP, target=NetControl::MONITOR, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=56981/tcp, dst_h=74.125.239.97/32, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _added=T]
+netcontrol debug (Debug-All): remove_rule: [ty=NetControl::DROP, target=NetControl::MONITOR, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=56981/tcp, dst_h=74.125.239.97/32, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _no_expire_plugins={\x0a\x0a}, _added=T]
-netcontrol debug (Debug-All): remove_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _added=T]
+netcontrol debug (Debug-All): remove_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _no_expire_plugins={\x0a\x0a}, _added=T]
-netcontrol debug (Debug-All): remove_rule: [ty=NetControl::WHITELIST, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=0 secs, priority=5, location=, out_port=<uninitialized>, mod=<uninitialized>, id=4, cid=4, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _added=T]
+netcontrol debug (Debug-All): remove_rule: [ty=NetControl::WHITELIST, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=0 secs, priority=5, location=, out_port=<uninitialized>, mod=<uninitialized>, id=4, cid=4, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _no_expire_plugins={\x0a\x0a}, _added=T]
-netcontrol debug (Debug-All): remove_rule: [ty=NetControl::REDIRECT, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=56981/tcp, dst_h=74.125.239.97/32, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=5, mod=<uninitialized>, id=5, cid=5, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _added=T]
+netcontrol debug (Debug-All): remove_rule: [ty=NetControl::REDIRECT, target=NetControl::FORWARD, entity=[ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=56981/tcp, dst_h=74.125.239.97/32, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=0 secs, priority=0, location=, out_port=5, mod=<uninitialized>, id=5, cid=5, _plugin_ids={\x0a\x091\x0a}, _active_plugin_ids={\x0a\x091\x0a}, _no_expire_plugins={\x0a\x0a}, _added=T]
 Dumping state
 {
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.multiple/netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.multiple/netcontrol.log
@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol
-#open	2016-03-09-23-40-32
+#open	2016-03-18-21-54-39
 #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
 #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 10	-	-	-	Debug-All
@ -13,7 +13,6 @@
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Openflow-Log-42
 1398529018.678276	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	0.000000	-	Debug-All
 1398529018.678276	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-	-	0	0.000000	-	Openflow-Log-42
 1398529018.678276	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	0.000000	-	Debug-All
@ -46,4 +45,4 @@
 1398529020.091883	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	0.000000	-	Openflow-Log-42
 1398529020.091883	4	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	5	0.000000	-	Openflow-Log-42
 1398529020.091883	5	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::REDIRECT	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/56981->74.125.239.97/32/443	-> 5	-	0	0.000000	-	Openflow-Log-42
-#close	2016-03-09-23-40-32
+#close	2016-03-18-21-54-40
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.openflow/netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.openflow/netcontrol.log
@ -3,13 +3,12 @@
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol
-#open	2016-03-09-23-28-53
+#open	2016-03-18-21-54-48
 #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
 #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Openflow-Log-42
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Openflow-Log-42
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Openflow-Log-42
 1254722767.875996	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	30.000000	-	Openflow-Log-42
 1254722767.875996	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	74.53.140.153/32	-	-	0	15.000000	-	Openflow-Log-42
 1254722767.875996	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	30.000000	-	Openflow-Log-42
@ -22,4 +21,4 @@
 1437831799.610433	7	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	17.167.150.73/32	-	-	0	15.000000	-	Openflow-Log-42
 1437831799.610433	6	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	192.168.133.100/32/49655->17.167.150.73/32/443	-	-	0	30.000000	-	Openflow-Log-42
 1437831799.610433	7	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	17.167.150.73/32	-	-	0	15.000000	-	Openflow-Log-42
-#close	2016-03-09-23-28-53
+#close	2016-03-18-21-54-48
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.quarantine-openflow/netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.quarantine-openflow/netcontrol.log
@ -3,13 +3,12 @@
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol
-#open	2016-03-08-22-48-10
+#open	2016-03-18-21-54-53
 #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
 #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Openflow-Log-42
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Openflow-Log-42
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Openflow-Log-42
 1398529018.678276	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->*/*	-	-	0	36000.000000	-	Openflow-Log-42
 1398529018.678276	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::MODIFY	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->8.8.8.8/32/53	Src: _/_ (_) Dst: 192.169.18.1/_ (_)	-	5	36000.000000	-	Openflow-Log-42
 1398529018.678276	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::MODIFY	NetControl::FORWARD	NetControl::FLOW	8.8.8.8/32/53->192.168.18.50/32/*	Src: 8.8.8.8/_ (_) Dst: _/_ (_)	-	5	36000.000000	-	Openflow-Log-42
@ -18,4 +17,4 @@
 1398529018.678276	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::MODIFY	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->8.8.8.8/32/53	Src: _/_ (_) Dst: 192.169.18.1/_ (_)	-	5	36000.000000	-	Openflow-Log-42
 1398529018.678276	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::MODIFY	NetControl::FORWARD	NetControl::FLOW	8.8.8.8/32/53->192.168.18.50/32/*	Src: 8.8.8.8/_ (_) Dst: _/_ (_)	-	5	36000.000000	-	Openflow-Log-42
 1398529018.678276	5	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::WHITELIST	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->192.169.18.1/32/80	-	-	5	36000.000000	-	Openflow-Log-42
-#close	2016-03-08-22-48-10
+#close	2016-03-18-21-54-53
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@ -1,6 +1,6 @@
         0.000000 bro_init
         0.000000 filter_change_tracking
         0.000000 NetControl::init
         0.000000 filter_change_tracking
 1254722767.492060 ChecksumOffloading::check
 1254722767.492060 filter_change_tracking
 1254722767.492060 new_connection
@ -107,6 +107,7 @@
 1437831776.764391 connection_state_remove
 1437831776.764391 filter_change_tracking
 1437831776.764391 new_connection
 1437831777.107399 partial_connection
 1437831787.856895 new_connection
 1437831787.861602 connection_established
 1437831787.867142 smtp_reply
@ -152,7 +153,9 @@
 1437831787.905375 smtp_request
 1437831787.914113 smtp_reply
 1437831798.533593 new_connection
 1437831798.533765 partial_connection
 1437831799.262632 new_connection
 1437831799.410135 partial_connection
 1437831799.461152 new_connection
 1437831799.610433 connection_established
 1437831799.611764 ssl_extension_server_name
@ -206,10 +209,15 @@
 1437831800.045701 ssl_established
 1437831800.217854 net_done
 1437831800.217854 filter_change_tracking
 1437831800.217854 connection_pending
 1437831800.217854 connection_state_remove
 1437831800.217854 connection_pending
 1437831800.217854 connection_state_remove
 1437831800.217854 connection_pending
 1437831800.217854 connection_state_remove
 1437831800.217854 connection_pending
 1437831800.217854 connection_state_remove
 1437831800.217854 connection_pending
 1437831800.217854 connection_state_remove
 1437831800.217854 bro_done
 1437831800.217854 ChecksumOffloading::check
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
--- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-1-drop-with-debug_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-1-drop-with-debug_bro.btest
@ -0,0 +1,14 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-1-drop-with-debug.bro
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	NetControl::drop_connection(c$id, 20 secs);
 	}
--- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-10-use-skeleton_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-10-use-skeleton_bro.btest
@ -0,0 +1,14 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-10-use-skeleton.bro
 event NetControl::init()
 	{
 	local skeleton_plugin = NetControl::create_skeleton("");
 	NetControl::activate(skeleton_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	NetControl::drop_connection(c$id, 20 secs);
 	}
--- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-2-ssh-guesser_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-2-ssh-guesser_bro.btest
@ -0,0 +1,20 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-2-ssh-guesser.bro
@load protocols/ssh/detect-bruteforcing
 redef SSH::password_guesses_limit=10;
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 hook Notice::policy(n: Notice::Info)
 	{
 	if ( n$note == SSH::Password_Guessing )
 		NetControl::drop_address(n$src, 60min);
 	}
--- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-3-ssh-guesser_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-3-ssh-guesser_bro.btest
@ -0,0 +1,20 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-3-ssh-guesser.bro
@load protocols/ssh/detect-bruteforcing
 redef SSH::password_guesses_limit=10;
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 hook Notice::policy(n: Notice::Info)
 	{
 	if ( n$note == SSH::Password_Guessing )
 		add n$actions[Notice::ACTION_DROP];
 	}
--- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-4-drop_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-4-drop_bro.btest
@ -0,0 +1,30 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-4-drop.bro
 function our_drop_connection(c: conn_id, t: interval)
 	{
 	# As a first step, create the NetControl::Entity that we want to block
 	local e = NetControl::Entity($ty=NetControl::CONNECTION, $conn=c);
 	# Then, use the entity to create the rule to drop the entity in the forward path
 	local r = NetControl::Rule($ty=NetControl::DROP,
 		$target=NetControl::FORWARD, $entity=e, $expire=t);
 	# Add the rule
 	local id = NetControl::add_rule(r);
 	if ( id == "" )
 		print "Error while dropping";
 	}
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	our_drop_connection(c$id, 20 secs);
 	}
--- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-5-hook_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-5-hook_bro.btest
@ -0,0 +1,26 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-5-hook.bro
 hook NetControl::rule_policy(r: NetControl::Rule)
 	{
 	if ( r$ty == NetControl::DROP &&
 	     r$entity$ty == NetControl::CONNECTION &&
 			 r$entity$conn$orig_h in 192.168.0.0/16 )
 			 {
 			 print "Ignored connection from", r$entity$conn$orig_h;
 			 break;
 			 }
 	}
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	NetControl::drop_connection(c$id, 20 secs);
 	}
--- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-6-find_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-6-find_bro.btest
@ -0,0 +1,21 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-6-find.bro
 event NetControl::init()
 	{
 	local netcontrol_debug = NetControl::create_debug(T);
 	NetControl::activate(netcontrol_debug, 0);
 	}
 event connection_established(c: connection)
 	{
 	if ( |NetControl::find_rules_addr(c$id$orig_h)| > 0 )
 		{
 		print "Rule already exists";
 		return;
 		}
 	NetControl::drop_connection(c$id, 20 secs);
 	print "Rule added";
 	}
--- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-7-catch-release_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-7-catch-release_bro.btest
@ -0,0 +1,14 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-7-catch-release.bro
 event NetControl::init()
 	{
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	}
 event connection_established(c: connection)
 	{
 	NetControl::drop_address_catch_release(c$id$orig_h);
 	}
--- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-8-multiple_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-8-multiple_bro.btest
@ -0,0 +1,33 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-8-multiple.bro
 function our_openflow_check(p: NetControl::PluginState, r: NetControl::Rule): bool
 	{
 	if ( r$ty == NetControl::DROP &&
 		r$entity$ty == NetControl::ADDRESS &&
 		subnet_width(r$entity$ip) == 32 &&
 		subnet_to_addr(r$entity$ip) in 192.168.17.0/24 )
 		return F;
 	return T;
 	}
 event NetControl::init()
 	{
 	# Add debug plugin with low priority
 	local debug_plugin = NetControl::create_debug(T);
 	NetControl::activate(debug_plugin, 0);
 	# Instantiate OpenFlow debug plugin with higher priority
 	local of_controller = OpenFlow::log_new(42);
 	local netcontrol_of = NetControl::create_openflow(of_controller, [$check_pred=our_openflow_check]);
 	NetControl::activate(netcontrol_of, 10);
 	}
 event NetControl::init_done()
 	{
 	NetControl::drop_address(10.0.0.1, 1min);
 	NetControl::drop_address(192.168.17.2, 1min);
 	NetControl::drop_address(192.168.18.2, 1min);
 	}
--- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-9-skeleton_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-9-skeleton_bro.btest
@ -0,0 +1,43 @@
 # @TEST-EXEC: cat %INPUT >output && btest-diff output
 netcontrol-9-skeleton.bro
 module NetControl;
 export {
 	## Instantiates the plugin.
 	global create_skeleton: function(argument: string) : PluginState;
 }
 function skeleton_name(p: PluginState) : string
 	{
 	return "NetControl skeleton plugin";
 	}
 function skeleton_add_rule_fun(p: PluginState, r: Rule) : bool
 	{
 	print "add", r;
 	event NetControl::rule_added(r, p);
 	return T;
 	}
 	function skeleton_remove_rule_fun(p: PluginState, r: Rule) : bool
 	{
 	print "remove", r;
 	event NetControl::rule_removed(r, p);
 	return T;
 	}
 global skeleton_plugin = Plugin(
 	$name = skeleton_name,
 	$can_expire = F,
 	$add_rule = skeleton_add_rule_fun,
 	$remove_rule = skeleton_remove_rule_fun
 	);
 function create_skeleton(argument: string) : PluginState
 	{
 	local p = PluginState($plugin=skeleton_plugin);
 	return p;
 	}
--- a/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest
+++ b/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest
@ -0,0 +1,2 @@
@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-1-drop-with-debug.bro
@TEST-EXEC: btest-rst-cmd cat netcontrol.log
--- a/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest#2
+++ b/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest#2
@ -0,0 +1 @@
@TEST-EXEC: btest-rst-cmd cat netcontrol_drop.log
--- a/testing/btest/doc/sphinx/netcontrol-2-ssh-guesser.bro.btest
+++ b/testing/btest/doc/sphinx/netcontrol-2-ssh-guesser.bro.btest
@ -0,0 +1,2 @@
@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-2-ssh-guesser.bro
@TEST-EXEC: btest-rst-cmd cat netcontrol.log
--- a/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest
+++ b/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest
@ -0,0 +1,2 @@
@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-3-ssh-guesser.bro
@TEST-EXEC: btest-rst-cmd cat netcontrol.log
--- a/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest#2
+++ b/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest#2
@ -0,0 +1 @@
@TEST-EXEC: btest-rst-cmd cat notice.log
--- a/Show more
+++ b/Show more
		`@ -0,0 +1,2 @@`
							`The OpenFlow framework exposes the datastructures and functions`
							`necessary to interface to OpenFlow capable hardware.`
		`@ -0,0 +1,3 @@`
							`Rule added, worker-2:2, 4`
							`Rule added, worker-2:3, 5`
							`1`
		`@ -0,0 +1,2 @@`
							`@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-1-drop-with-debug.bro`
							`@TEST-EXEC: btest-rst-cmd cat netcontrol.log`
		`@ -0,0 +1 @@`
							`@TEST-EXEC: btest-rst-cmd cat netcontrol_drop.log`