diff --git a/CHANGES b/CHANGES
index 5d09e27fe0..3e2b575dd6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,466 @@
 
+2.5-297 | 2017-09-11 09:26:33 -0700
+
+  * Fix small OCSP parser bug; serial numbers were not passed to events
+    (Johanna Amann)
+
+  * Fix expire-redef.bro test. (Daniel Thayer)
+
+2.5-294 | 2017-08-11 13:51:49 -0500
+
+  * Fix core.truncation unit test on macOS. (Jon Siwek)
+
+  * Fix a netcontrol test that often fails (Daniel Thayer)
+
+  * Update install instructions for Fedora 26 (Daniel Thayer)
+
+2.5-288 | 2017-08-04 14:17:10 -0700
+
+  * Fix field not being populated, which resulted in a reporter
+    messsage. Addresses BIT-1831. Reported by Chris Herdt. (Seth Hall)
+
+  * Support for OCSP and Signed Certificate Timestamp. (Liang
+    Zhu/Johanna Amann)
+
+      - OCSP parsing is added to the X.509 module.
+
+      - Signed Certificate Timestamp extraction, parsing, & validation
+        is added to the SSL, X.509, and OCSP analyzers. Validation is
+        added to the X.509 BIFs.
+
+    This adds the following events and BIFs:
+
+      - event ocsp_request(f: fa_file, version: count, requestorName: string);
+      - event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string);
+      - event ocsp_response_status(f: fa_file, status: string);
+      - event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector);
+      - event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time);
+      - event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool);
+      - event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string);
+      - event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string);
+      - function sct_verify(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""): bool
+      - function x509_subject_name_hash(cert: opaque of x509, hash_alg: count): string
+      - function x509_issuer_name_hash(cert: opaque of x509, hash_alg: count): string
+      - function x509_spki_hash(cert: opaque of x509, hash_alg: count): string
+
+    This also changes the MIME types that we use to identify X.509
+    certificates in SSL connections from "application/pkix-cert" to
+    "application/x-x509-user-cert" for host certificates and
+    "application/x-x509-ca-cert" for CA certificates.
+
+  * The SSL scripts provide a new hook "ssl_finishing(c: connection)"
+    to trigger actions after the handshake has concluded. (Johanna
+    Amann)
+
+  * Add an internal API for protocol analyzers to provide the MIME
+    type of file data directly, disabling automatic inferrence.
+    (Johanna Amann).
+
+2.5-186 | 2017-07-28 12:22:20 -0700
+
+  * Improved handling of '%' at end of line in HTTP analyzer. (Johanna
+    Amann)
+
+  * Add canonifier to catch and release test that should fix test
+    failures. (Johanna Amann)
+
+2.5-181 | 2017-07-25 16:02:41 -0700
+
+  * Extend plugin infrastructure to catch Bro version mismatches at link
+    time.
+
+    The version number used for the function name is slightly normalized
+    to skip any git revision postfixes (i.e., "2.5-xxx" is always treated
+    as "2.5-git") so that one doesn't need to recompile all plugins after
+    every master commit. That seems good enough, usually people run into
+    this when upgrading to a new release. The Plugin API version is also
+    part of the version number.
+
+    If one loads an old plugin into a new Bro, the error message looks
+    like this:
+
+        $ bro -NN Demo::Foo
+        fatal error in /home/robin/bro/master/scripts/base/init-bare.bro, line 1:
+        cannot load plugin library /home/robin/tmp/p/build//lib/Demo-Foo.linux-x86_64.so:
+        /home/robin/tmp/p/build//lib/Demo-Foo.linux-x86_64.so: undefined symbol: bro_version_2_5_git_debug
+
+    (Robin Sommer)
+
+  * Several fixes and improvements for software version parsing.
+
+     - Addresses Philip Romero's question from the Bro mailing list.
+     - Adds Microsoft Edge as a detected browser.
+     - We are now unescaping encoded characters in software names. (Seth Hall)
+
+  * Remove another reference to now removed bro-plugins. (Johanna Amann)
+
+2.5-175 | 2017-07-07 14:35:11 -0700
+
+  * Removing aux/plugins. Most of the plugins are now Bro packages.
+    (Robin Sommer)
+
+  * Update install instructions for Debian 9. (Daniel Thayer)
+
+2.5-170 | 2017-07-07 12:20:19 -0700
+
+  * Update krb-protocol.pac (balintm)
+    This fixes parsing of KRB_AP_Options where the padding and flags were reversed.
+
+  * Add new cipher suites from draft-ietf-tls-ecdhe-psk-aead-05 (Johanna Amann)
+
+  * Test changes: remove loading of listen.bro in tests that do not use it,
+    serialize tests that load listen.bro, fix race conditions in some tests.
+    (Daniel Thayer)
+
+  * The broccoli-v6addrs "-r" option was renamed to "-R" (Daniel Thayer)
+
+2.5-156 | 2017-06-13 11:01:56 -0700
+
+  * Add 2.5.1 news file to master. (Johanna Amann)
+
+  * Remove link to no longer existing myricom plugin. (Johanna Amann)
+
+2.5-152 | 2017-06-05 15:16:49 -0700
+
+  * Remove non-existing links; this broke documentation build. (Johanna Amann)
+
+  * Fix at_least in Version.bro - it did exactly the oposite of the documented
+    behavior. (Johanna Amann)
+
+2.5-147 | 2017-05-22 20:32:32 -0500
+
+  * Add nfs unittest. (Julien Wallior)
+
+  * Added nfs_proc_rename event to rpc/nfs protocol analyzer.
+    (Roberto Del Valle Rodriguez)
+
+  * Expand parsing of RPC Call packets to add Uid, Gid, Stamp, MachineName
+    and AuxGIDs (Julien Wallior)
+
+  * Fix NFS protocol parser. (Julien Wallior)
+
+2.5-142 | 2017-05-22 00:08:52 -0500
+
+  * Add gzip log writing to the ascii writer.
+
+    This feature can be enabled globally for all logs by setting
+    LogAscii::gzip_level to a value greater than 0.
+
+    This feature can be enabled on a per-log basis by setting gzip-level in
+    $config to a value greater than 0. (Corelight)
+
+2.5-140 | 2017-05-12 15:31:32 -0400
+
+  * Lessen cluster load due to notice suppression. 
+    (Johanna Amann, Justin Azoff)
+
+2.5-137 | 2017-05-04 11:37:48 -0500
+
+  * Add plugin hooks for log init and writing: HookLogInit and HookLogWrite.
+    (Corelight)
+
+  * TLS: Fix compile warning (comparison between signed/unsigned).
+
+    This was introduced with the addition of new TLS1.3 extensions. (Johanna Amann)
+
+
+2.5-134 | 2017-05-01 10:34:34 -0500
+
+  * Add rename, unlink, and rmdir bifs. (Corelight)
+
+2.5-131 | 2017-04-21 14:27:16 -0700
+
+  * Guard more format strings with __attribute__((format)). (Johanna Amann)
+
+  * Add support for two TLS 1.3 extensions.
+
+    New events:
+        - event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
+        - event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec) (Johanna Amann)
+
+2.5-125 | 2017-04-17 22:02:39 +0200
+
+  * Documentation updates for loading Bro scripts. (Seth Hall)
+
+2.5-123 | 2017-04-10 13:30:14 -0700
+
+  * Fix some failing tests by increasing delay times. (Daniel Thayer)
+
+  * Threading Types: add a bit of documentation to subnet type. (Johanna Amann)
+
+  * Fixing couple issues reported by Coverity. (Robin Sommer)
+
+2.5-119 | 2017-04-07 10:30:09 -0700
+
+  * Fix the test group name in some broker test files. (Daniel Thayer)
+
+  * NetControl: small rule_error changes (test, call fix). (Johanna Amann)
+
+  * SSL: update dpd signature for TLS1.3. (Johanna Amann)
+
+2.5-115 | 2017-03-23 07:25:41 -0700
+
+  * Fix a test that was failing on some platforms. (Daniel Thayer)
+
+  * Remove test for cluster catch and release. This test keeps failing
+    intermittently because of timing issues that are surprisingly hard
+    to fix. (Johanna Amann)
+
+  * Fix some Coverity warnings. (Daniel Thayer)
+
+2.5-106 | 2017-03-13 11:19:03 -0700
+
+  * print version string to stdout on --version, instead
+    of printing it to stderr. Output is not an error output.  (Pete)
+
+  * Fix compiler warning raised by llvm8. (Johanna Amann)
+
+  * Fix coverity warning in Ascii reader. (Johanna Amann)
+
+2.5-101 | 2017-03-09 12:20:11 -0500
+
+  * Input's framework's ascii reader is now more resilient.
+
+    By default, the ASCII reader does not fail on errors anymore.
+    If there is a problem parsing a line, a reporter warning is
+    written and parsing continues.  If the file is missing or can't
+    be read, the input thread just tries again on the next heartbeat.
+    (Seth Hall, Johanna Amann)
+
+2.5-92 | 2017-03-03 10:44:14 -0800
+
+  * Move most threading to C++11 primitives (mostly). (Johanna Amann)
+
+  * Fix a test that sometimes fails on FreeBSD. (Daniel Thayer)
+
+  * Remove build time warnings. (Seth Hall)
+
+2.5-84 | 2017-02-27 15:08:55 -0500
+
+  * Change semantics of Broker's remote logging to match old communication
+    framework. (Robin Sommer)
+
+  * Add and fix documentation for HookSetupAnalyzerTree (Johanna Amann)
+
+
+2.5-76 | 2017-02-23 10:19:57 -0800
+
+  * Kerberos ciphertext had some additional ASN.1 content being lumped
+    in. (Vlad Grigorescu)
+
+  * Updated Windows version detection to include Windows 10. (Fatema
+    Bannatwala, Keith Lehigh, Mike, Seth Hall).
+
+2.5-70 | 2017-02-20 00:20:02 -0500
+
+  * Rework the RADIUS base script.
+
+    Fixes BIT-1769 which improves logging behavior when replies aren't
+    seen.  Also added a `framed_addr` field to indicate if the radius
+    server is hinting at an address for the client and a `ttl` field to
+    show how quickly the server is responding. (Seth Hall)
+
+2.5-68 | 2017-02-18 13:59:05 -0500
+
+  * Refactored base krb scripts. (Seth Hall)
+
+  * New script to log ticket hashes in krb log
+    (policy/protocols/krb/ticket-logging.bro).  Also, add
+    ciphertext to ticket data structure. (John E. Rollinson)
+
+2.5-62 | 2017-02-15 15:56:38 -0800
+
+  * Fix case in which scripts were able to access unitialized variables
+    in certain cases. Addresses BIT-1785. (Jon Siwek)
+
+2.5-60 | 2017-02-15 15:19:20 -0800
+
+  * Implement ERSPAN support.
+
+    There is a small caveat to this implementation.  The ethernet
+    header that is carried over the tunnel is ignored.  If a user
+    tries to do MAC address logging, it will only show the MAC
+    addresses for the outer tunnel and the inner MAC addresses
+    will be stripped and not available anywhere. (Seth Hall)
+
+  * Tiny mime-type fix from Dan Caselden. (Seth Hall)
+
+  * Update failing intel framework test. (Johanna Amann)
+
+2.5-55 | 2017-02-10 09:50:43 -0500
+
+  * Fixed intel expiration reset. Reinserting the same indicator did not reset
+    the expiration timer for the indicator in the underlying data store.
+    Addresses BIT-1790. (Jan Grashoefer)
+
+2.5-51 | 2017-02-06 10:15:56 -0500
+
+  * Fix memory leak in file analyzer. (Johanna Amann)
+
+  * Fix a series of problems with the to_json function.
+    Addresses BIT-1788. (Daniel Thayer)
+
+2.5-44 | 2017-02-03 16:38:10 -0800
+
+  * Change snap lengths of some tests. (Johanna Amann)
+
+  * Fix layer 2 connection flipping. If connection flipping occured in
+    Sessions.cc code (invoked e.g. when the original SYN is missing),
+    layer 2 flipping was not performed. (Johanna Amann)
+
+2.5-39 | 2017-02-01 14:03:08 -0800
+
+  * Fix file analyzer memory management, and a delay in disabling file analyzers.
+    File analyzers are no longer deleted immediately; this is delayed until
+    a file opject is destroyed. Furthermore, no data is sent to file analyzers
+    anymore after they have been disabled.
+
+2.5-33 | 2017-02-01 10:07:47 -0500
+
+  * New file types sigs. (Keith Lehigh)
+
+  * Change snaplen of test trace from 1,000,000 to 10,000
+
+    Recent versions of libpcap are unhappy with values bigger than 262,144
+    and will refuse reading the file. (Johanna Amann)
+
+
+2.5-30 | 2017-01-26 13:24:36 -0800
+
+  * Extend file extraction log, adding extracted_cutoff and extracted_size
+    fields. (Seth Hall)
+
+  * Add new TLS extension type (cached_info) (Johanna Amann)
+
+  * Remove brocon event; it caused test failures. (Johanna Amann)
+
+  * Add missing paths to SMB Log::create_streams calls. (Johanna Amann)
+
+  * Tiny xlsx file signature fix. (Dan Caselden)
+
+  * Allow access to global variables using GLOBAL:: namespace.
+    Addresses BIT-1758. (Francois Pennaneac)
+
+2.5-17 | 2016-12-07 14:51:37 -0800
+
+  * Broxygen no longer attempts to do tilde expansion of PATH, giving
+    an error message instead if bro is located in a PATH component
+    that starts with a tilde. Broxygen also no longer attempts to get
+    the mtime of the bro executable when bro is not invoced with the
+    "-X" option. (Daniel Thayer)
+
+  * Fix failing tests, compiler warnings and build issues on OpenBSD.
+    (Daniel Thayer)
+
+2.5-9 | 2016-12-05 11:39:54 -0800
+
+  * Fix validation of OCSP replies inside of Bro. (Johanna Amann)
+
+    At one place in the code, we did not check the correct return
+    code. This makes it possible for a reply to get a response of
+    "good", when the OCSP reply is not actually signed by the
+    responder in question.
+
+    This also instructs OCSP verication to skip certificate chain
+    validation, which we do ourselves earlier because the OCSP verify
+    function cannot do it correctly (no way to pass timestamp).
+
+2.5-6 | 2016-11-29 12:51:04 -0800
+
+  * Fix a build failure on OpenBSD relating to pcap_pkthdr. Also fixes
+    an include issue on OpenBSD. (Daniel Thayer)
+
+  * Fix compile error in krb-types.pac. (Johanna Amann)
+
+  * Update krb-types.pac: KerberosString formatting for the principal
+    principal name is now compliant with RFC 4120 section 5.2.2. (jamesecorrenti)
+
+2.5 | 2016-11-16 14:51:59 -0800
+
+  * Release 2.5.
+
+2.5-beta2-17 | 2016-11-14 17:59:19 -0800
+
+  * Add missing '@load ./pubkey-hashes' to
+    policy/frameworks/intel/seen. (Robin Sommer)
+
+2.5-beta2-15 | 2016-11-14 17:52:55 -0800
+
+  * Remove unused "bindist" make target. (Daniel Thayer)
+
+  * Improve the "How to Upgrade" page in the Bro docs. (Daniel Thayer)
+
+  * Update the quickstart guide for the deploy command. (Daniel Thayer)
+
+  * Improved installation instructions for Mac OS X. (Daniel Thayer)
+
+  * Lots of more small updates to documentation. (Daniel Thayer)
+
+2.5-beta2 | 2016-11-02 12:13:11 -0700
+
+  * Release 2.5-beta2.
+
+2.5-beta-135 | 2016-11-02 09:47:20 -0700
+
+  * SMB fixes and cleanup. Includes better SMB error handling, improved DCE_RPC
+    handling in edge cases where drive_mapping is not seen. The concept of unknown
+    shares has been removed with this change. Also fixes SMB tree connect handling and
+    removes files that are not parsed. SMB2 error parsing is disabled because it never
+    was implemented correctly. (Seth Hall)
+
+  * Including a test for raw NTLM in SMB (Seth Hall)
+
+  * Updates for SMB auth handling from Martin van Hensbergen.
+
+     - Raw NTLM (not in GSSAPI) over SMB is now handled correctly.
+     - The encrypted NTLM session key is now passed into scriptland
+       through the ntlm_authenticate event. (Seth Hall)
+
+  * Add a files framework signature for VIM tmp files. (Seth Hall)
+
+  * Version parsing scripts now supports several beta versions. (Johanna Amann)
+
+2.5-beta-123 | 2016-11-01 09:40:49 -0700
+
+  * Add a new site policy script local-logger.bro. (Daniel Thayer)
+
+2.5-beta-121 | 2016-10-31 14:24:33 -0700
+
+  * Python 3 compatibility fixes for documentation building. (Daniel Thayer)
+
+2.5-beta-114 | 2016-10-27 09:00:24 -0700
+
+  * Fix for Sphinx >= 1.4 compability. (Robin Sommer)
+
+2.5-beta-113 | 2016-10-27 07:44:25 -0700
+
+  * XMPP: Fix detection of StartTLS when using namespaces. (Johanna
+    Amann)
+
+2.5-beta-110 | 2016-10-26 09:42:11 -0400
+
+  * Improvements DCE_RPC analyzer to make it perform fragment handling correctly
+    and generally be more resistent to unexpected traffic. (Seth Hall)
+
+2.5-beta-102 | 2016-10-25 09:43:45 -0700
+
+  * Update number of bytes in request/response of smb1-com-open-andx.pac. (balintm)
+
+  * Fix a IPv4 CIDR specifications and payload-size condition of signature matching.
+    (Robin Sommer)
+
+  * Python 3 compatibility fix for coverage-calc script. (Daniel Thayer)
+
+2.5-beta-93 | 2016-10-24 11:11:07 -0700
+
+  * Fix alignment issue of ones_complement_checksum. This error
+    occured reproducibly newer compilers when called from
+    icmp6_checksum. (Johanna Amann)
+
+2.5-beta-91 | 2016-10-20 11:40:37 -0400
+
+  * Fix istate.pybroccoli test on systems using Python 3. (Daniel Thayer)
+
 2.5-beta-89 | 2016-10-18 21:50:51 -0400
 
   * SSH analyzer changes: the events are now restructured a bit. There is a new
@@ -395,7 +857,7 @@
 
 2.4-683 | 2016-07-08 14:55:04 -0700
 
-  * Extendign connection history field to flag with '^' when Bro flips
+  * Extending connection history field to flag with '^' when Bro flips
     a connection's endpoints. Addresses BIT-1629. (Robin Sommer)
 
 2.4-680 | 2016-07-06 09:18:21 -0700
@@ -505,7 +967,7 @@
 2.4-623 | 2016-06-15 17:31:12 -0700
 
   * &default values are no longer overwritten with uninitialized
-	  by the input framework. (Jan Grashoefer)
+    by the input framework. (Jan Grashoefer)
 
 2.4-621 | 2016-06-15 09:18:02 -0700
 
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5a7fba482e..990c09b611 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -40,12 +40,26 @@ file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.csh
      "setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
 
 file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
+execute_process(COMMAND grep "^#define  *BRO_PLUGIN_API_VERSION"
+                INPUT_FILE ${CMAKE_CURRENT_SOURCE_DIR}/src/plugin/Plugin.h
+                OUTPUT_VARIABLE API_VERSION
+                OUTPUT_STRIP_TRAILING_WHITESPACE)
+string(REGEX REPLACE "^#define.*VERSION *" "" API_VERSION "${API_VERSION}")
+
 string(REPLACE "." " " version_numbers ${VERSION})
 separate_arguments(version_numbers)
 list(GET version_numbers 0 VERSION_MAJOR)
 list(GET version_numbers 1 VERSION_MINOR)
 set(VERSION_MAJ_MIN "${VERSION_MAJOR}.${VERSION_MINOR}")
 
+set(VERSION_C_IDENT "${VERSION}_plugin_${API_VERSION}")
+string(REGEX REPLACE "-[0-9]*$" "_git" VERSION_C_IDENT "${VERSION_C_IDENT}")
+string(REGEX REPLACE "[^a-zA-Z0-9_\$]" "_" VERSION_C_IDENT "${VERSION_C_IDENT}")
+
+if(${ENABLE_DEBUG})
+    set(VERSION_C_IDENT "${VERSION_C_IDENT}_debug")
+endif()
+
 ########################################################################
 ## Dependency Configuration
 
diff --git a/Makefile b/Makefile
index 3efddc4dbc..74e8c3aa3e 100644
--- a/Makefile
+++ b/Makefile
@@ -42,10 +42,6 @@ dist:
 	@$(HAVE_MODULES) && find $(VERSION_MIN) -name .git\* | xargs rm -rf || exit 0
 	@$(HAVE_MODULES) && tar -czf $(VERSION_MIN).tgz $(VERSION_MIN) && echo Package: $(VERSION_MIN).tgz && rm -rf $(VERSION_MIN) || exit 0
 
-bindist:
-	@( cd pkg && ( ./make-deb-packages || ./make-mac-packages || \
-	               ./make-rpm-packages ) )
-
 distclean:
 	rm -rf $(BUILD)
 	$(MAKE) -C testing $@
@@ -65,4 +61,4 @@ configured:
 	@test -d $(BUILD) || ( echo "Error: No build/ directory found. Did you run configure?" && exit 1 )
 	@test -e $(BUILD)/Makefile || ( echo "Error: No build/Makefile found. Did you run configure?" && exit 1 )
 
-.PHONY : all install clean doc docclean dist bindist distclean configured
+.PHONY : all install clean doc docclean dist distclean configured
diff --git a/NEWS b/NEWS
index 34d942a7db..6d35a8978b 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,95 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as BroControl and Broccoli, come with
 their own ``CHANGES``.)
 
+
+Bro 2.6 (in progress)
+=====================
+
+New Functionality
+-----------------
+
+- Support for OCSP and Signed Certificate Timestamp. This adds the
+  following events and BIFs:
+
+  - Events: ocsp_request, ocsp_request_certificate,
+    ocsp_response_status, ocsp_response_bytes
+    ocsp_response_certificate ocsp_extension
+    x509_ocsp_ext_signed_certificate_timestamp
+    ssl_extension_signed_certificate_timestamp
+
+  - Functions: sct_verify, x509_subject_name_hash,
+    x509_issuer_name_hash x509_spki_hash
+
+- The SSL scripts provide a new hook "ssl_finishing(c: connection)"
+  to trigger actions after the handshake has concluded.
+
+Changed Functionality
+---------------------
+
+- The MIME types used to identify X.509 certificates in SSL
+  connections changed from "application/pkix-cert" to
+  "application/x-x509-user-cert" for host certificates and
+  "application/x-x509-ca-cert" for CA certificates.
+
+Removed Functionality
+---------------------
+
+- We no longer maintain any Bro plugins as part of the Bro
+  distribution. Most of the plugins that used be in aux/plugins have
+  been moved over to use the Bro Package Manager instead. See
+  https://github.com/bro/packages for a list of Bro packages currently
+  available.
+
+Bro 2.5.1
+=========
+
+New Functionality
+-----------------
+
+- Bro now includes bifs for rename, unlink, and rmdir.
+
+- Bro now includes events for two extensions used by TLS 1.3:
+  ssl_extension_supported_versions and ssl_extension_psk_key_exchange_modes
+
+- Bro now includes hooks that can be used to interact with log processing
+  on the C++ level.
+
+- Bro now supports ERSPAN. Currently this ignores the ethernet header that is
+  carried over the tunnel; if a MAC is logged currently only the outer MAC
+  is returned.
+
+- Added a new BroControl option CrashExpireInterval to enable
+  "broctl cron" to remove crash directories that are older than the
+  specified number of days (the default value is 0, which means crash
+  directories never expire).
+
+- Added a new BroControl option MailReceivingPackets to control
+  whether or not "broctl cron" will mail a warning when it notices
+  that no packets were seen on an interface.
+
+- There is a new broctl command-line option "--version" which outputs
+  the BroControl version.
+
+Changed Functionality
+---------------------
+
+- The input framework's Ascii reader is now more resilient. If an input
+  is marked to reread a file when it changes and the file didn't exist
+  during a check Bro would stop watching the file in previous versions.
+  The same could happen with bad data in a line of a file.  These
+  situations do not cause Bro to stop watching input files anymore. The
+  old behavior is available through settings in the Ascii reader.
+
+- The RADIUS scripts have been reworked. Requests are now logged even if
+  there is no response. The new framed_addr field in the log indicates
+  if the radius server is hinting at an address for the client. The ttl
+  field indicates how quickly the server is replying to the network access
+  server.
+
+- With the introduction of the Bro package manager, the Bro plugin repository
+  is considered deprecated. The af_packet, postgresql, and tcprs plugins have
+  already been removed and are available via bro-pkg.
+
 Bro 2.5
 =======
 
@@ -31,16 +120,20 @@ New Functionality
      transferred over SMB can be analyzed.
    - Includes GSSAPI and NTLM analyzer and reimplements the DCE-RPC
      analyzer.
-   - New logs: smb_cmd.log, smb_files.log, smb_mapping.log, ntlm.log, and dce_rpc.log
+   - New logs: smb_cmd.log, smb_files.log, smb_mapping.log, ntlm.log,
+     and dce_rpc.log
    - Not every possible SMB command or functionality is implemented, but
      generally, file handling should work whenever files are transferred.
      Please speak up on the mailing list if there is an obvious oversight.
 
 - Bro now includes the NetControl framework. The framework allows for easy
   interaction of Bro with hard- and software switches, firewalls, etc.
-  New log files: net_control.log, netcontrol_catch_release.log,
+  New log files: netcontrol.log, netcontrol_catch_release.log,
   netcontrol_drop.log, and netcontrol_shunt.log.
 
+- Bro now includes the OpenFlow framework which exposes the data structures
+  necessary to interface to OpenFlow capable hardware.
+
 - Bro's Intelligence Framework was refactored and new functionality
   has been added:
 
@@ -86,8 +179,8 @@ New Functionality
     groups in TLS 1.3.
 
   - The new event ssl_application_data gives information about application data
-    that is exchanged before encryption fully starts. This is used to detect when
-    encryption starts in TLS 1.3.
+    that is exchanged before encryption fully starts. This is used to detect
+    when encryption starts in TLS 1.3.
 
 - Bro now tracks VLAN IDs. To record them inside the connection log,
   load protocols/conn/vlan-logging.bro.
@@ -116,7 +209,7 @@ New Functionality
   - matching_subnets(subnet, table) returns all subnets of the set or table
     that contain the given subnet.
 
-  - filter_subnet_table(subnet, table) works like check_subnet, but returns
+  - filter_subnet_table(subnet, table) works like matching_subnets, but returns
     a table containing all matching entries.
 
 - Several built-in functions for handling IP addresses and subnets were added:
@@ -154,8 +247,10 @@ New Functionality
 
 - The pcap buffer size can be set through the new option Pcap::bufsize.
 
-- Input framework readers Table and Event can now define a custom
-  event to receive logging messages.
+- Input framework readers stream types Table and Event can now define a custom
+  event (specified by the new "error_ev" field) to receive error messages
+  emitted by the input stream. This can, e.g., be used to raise notices in
+  case errors occur when reading an important input source.
 
 - The logging framework now supports user-defined record separators,
   renaming of column names, as well as extension data columns that can
@@ -315,6 +410,10 @@ Changed Functionality
     the crash report includes instructions on how to get backtraces
     included in future crash reports.
 
+  - There is a new option SitePolicyScripts that replaces SitePolicyStandalone
+    (the old option is still available, but will be removed in the next
+    release).
+
 Removed Functionality
 ---------------------
 
diff --git a/VERSION b/VERSION
index d2c4057cd5..a5ed34e608 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-beta-89
+2.5-297
diff --git a/aux/binpac b/aux/binpac
index 097c1dde17..27356ae52f 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 097c1dde17c218973a9adad9ba39f8cfd639d9c1
+Subproject commit 27356ae52ff9ff639b53a7325ea3262e1a13b704
diff --git a/aux/bro-aux b/aux/bro-aux
index 0191254451..02f710a436 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 0191254451d1aa9a5c985d493ad51f4f1c5f7d85
+Subproject commit 02f710a436dfe285bae0d48d7f7bc498783e11a8
diff --git a/aux/broccoli b/aux/broccoli
index 0743c4f516..25907f6b0a 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 0743c4f51600cc90aceccaee72ca879b271712d2
+Subproject commit 25907f6b0a5347304d1ec8213bfad3d114260ca0
diff --git a/aux/broctl b/aux/broctl
index f944471bec..1ab5ed3d3b 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit f944471bec062876aa18317f51b6fbe5325ca166
+Subproject commit 1ab5ed3d3b0f2a3ff231de77816a697d55abccb8
diff --git a/aux/broker b/aux/broker
index 497924cdcc..862c982f35 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 497924cdcc23d26221bc39b24bcddcb62ec13ca7
+Subproject commit 862c982f35e342fb10fa281120135cf61eca66bb
diff --git a/aux/btest b/aux/btest
index 625dbecfd6..2810ccee25 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 625dbecfd63022d79a144b9651085e68cdf99ce4
+Subproject commit 2810ccee25f6f20be5cd241155f12d02a79d592a
diff --git a/aux/netcontrol-connectors b/aux/netcontrol-connectors
index c60d24c7b7..9f3d6fce49 160000
--- a/aux/netcontrol-connectors
+++ b/aux/netcontrol-connectors
@@ -1 +1 @@
-Subproject commit c60d24c7b7cc95367da3ac8381db3463a6fbd147
+Subproject commit 9f3d6fce49cad3b45b5ddd0fe1f3c79186e1d2e7
diff --git a/aux/plugins b/aux/plugins
deleted file mode 160000
index a895d4d6d4..0000000000
--- a/aux/plugins
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit a895d4d6d475326f400e4664e08c8f71280d3294
diff --git a/bro-config.h.in b/bro-config.h.in
index 290dd31cae..003eea88b7 100644
--- a/bro-config.h.in
+++ b/bro-config.h.in
@@ -229,3 +229,14 @@
 #ifndef BRO_PLUGIN_INTERNAL_BUILD
 #define BRO_PLUGIN_INTERNAL_BUILD @BRO_PLUGIN_INTERNAL_BUILD@
 #endif
+
+/* A C function that has the Bro version encoded into its name. */
+#define BRO_VERSION_FUNCTION bro_version_@VERSION_C_IDENT@
+#ifdef __cplusplus
+extern "C" {
+#endif
+extern const char* BRO_VERSION_FUNCTION();
+#ifdef __cplusplus
+}
+#endif
+
diff --git a/cmake b/cmake
index 39510b5fb2..79f2b2e944 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 39510b5fb2351d7aac85da0d335a128402db3bbc
+Subproject commit 79f2b2e944da77774675be4d5254156451967371
diff --git a/doc/components/bro-plugins/README.rst b/doc/components/bro-plugins/README.rst
deleted file mode 120000
index 8f96f50909..0000000000
--- a/doc/components/bro-plugins/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../aux/plugins/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/af_packet/README.rst b/doc/components/bro-plugins/af_packet/README.rst
deleted file mode 120000
index b8f745bed2..0000000000
--- a/doc/components/bro-plugins/af_packet/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/af_packet/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/elasticsearch/README b/doc/components/bro-plugins/elasticsearch/README
deleted file mode 120000
index 8a5b78d689..0000000000
--- a/doc/components/bro-plugins/elasticsearch/README
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/elasticsearch/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/kafka/README.rst b/doc/components/bro-plugins/kafka/README.rst
deleted file mode 120000
index 6ca2195f17..0000000000
--- a/doc/components/bro-plugins/kafka/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/kafka/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/myricom/README.rst b/doc/components/bro-plugins/myricom/README.rst
deleted file mode 120000
index 3bfabcdae3..0000000000
--- a/doc/components/bro-plugins/myricom/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/myricom/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/netmap/README.rst b/doc/components/bro-plugins/netmap/README.rst
deleted file mode 120000
index 819a2bb0e9..0000000000
--- a/doc/components/bro-plugins/netmap/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/netmap/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/pf_ring/README.rst b/doc/components/bro-plugins/pf_ring/README.rst
deleted file mode 120000
index 5ea666e8c9..0000000000
--- a/doc/components/bro-plugins/pf_ring/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/pf_ring/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/postgresql/README.rst b/doc/components/bro-plugins/postgresql/README.rst
deleted file mode 120000
index b8c815c45b..0000000000
--- a/doc/components/bro-plugins/postgresql/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/postgresql/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/redis/README.rst b/doc/components/bro-plugins/redis/README.rst
deleted file mode 120000
index c42051828e..0000000000
--- a/doc/components/bro-plugins/redis/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/redis/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/tcprs/README.rst b/doc/components/bro-plugins/tcprs/README.rst
deleted file mode 120000
index c0e84fd579..0000000000
--- a/doc/components/bro-plugins/tcprs/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/tcprs/README
\ No newline at end of file
diff --git a/doc/components/index.rst b/doc/components/index.rst
index 85527e9f9c..c1feda4a61 100644
--- a/doc/components/index.rst
+++ b/doc/components/index.rst
@@ -21,7 +21,6 @@ current, independent component releases.
    Broker - User Manual <broker/broker-manual.rst>
    BroControl - Interactive Bro management shell <broctl/README>
    Bro-Aux - Small auxiliary tools for Bro <bro-aux/README>
-   Bro-Plugins - A collection of plugins for Bro <bro-plugins/README>
    BTest - A unit testing framework <btest/README>
    Capstats - Command-line packet statistic tool <capstats/README>
    PySubnetTree - Python module for CIDR lookups<pysubnettree/README>
diff --git a/doc/configuration/index.rst b/doc/configuration/index.rst
index fa49c3736e..508b3c1449 100644
--- a/doc/configuration/index.rst
+++ b/doc/configuration/index.rst
@@ -105,24 +105,9 @@ a Bro cluster (do this as the Bro user on the manager host only):
 
     > broctl install
 
-- Some tasks need to be run on a regular basis. On the manager node,
-  insert a line like this into the crontab of the user running the
-  cluster::
-
-      0-59/5 * * * * <prefix>/bin/broctl cron
-
-  (Note: if you are editing the system crontab instead of a user's own
-  crontab, then you need to also specify the user which the command
-  will be run as. The username must be placed after the time fields
-  and before the broctl command.)
-
-  Note that on some systems (FreeBSD in particular), the default PATH
-  for cron jobs does not include the directories where bash and python
-  are installed (the symptoms of this problem would be that "broctl cron"
-  works when run directly by the user, but does not work from a cron job).
-  To solve this problem, you would either need to create symlinks
-  to bash and python in a directory that is in the default PATH for
-  cron jobs, or specify a new PATH in the crontab.
+- See the :doc:`BroControl <../components/broctl/README>` documentation
+  for information on setting up a cron job on the manager host that can
+  monitor the cluster.
 
 
 PF_RING Cluster Configuration
diff --git a/doc/ext/bro.py b/doc/ext/bro.py
index 1df4a518c2..6a4c50e8ce 100644
--- a/doc/ext/bro.py
+++ b/doc/ext/bro.py
@@ -14,7 +14,7 @@ from sphinx.locale import l_, _
 from sphinx.directives import ObjectDescription
 from sphinx.roles import XRefRole
 from sphinx.util.nodes import make_refnode
-import string
+from sphinx import version_info
 
 from docutils import nodes
 from docutils.parsers.rst import Directive
@@ -29,9 +29,17 @@ class SeeDirective(Directive):
 
     def run(self):
         n = see('')
-        n.refs = string.split(string.join(self.content))
+        n.refs = " ".join(self.content).split()
         return [n]
 
+# Wrapper for creating a tuple for index nodes, staying backwards
+# compatible to Sphinx < 1.4:
+def make_index_tuple(indextype, indexentry, targetname, targetname2):
+    if version_info >= (1, 4, 0, '', 0):
+        return (indextype, indexentry, targetname, targetname2, None)
+    else:
+        return (indextype, indexentry, targetname, targetname2)
+
 def process_see_nodes(app, doctree, fromdocname):
     for node in doctree.traverse(see):
         content = []
@@ -95,8 +103,9 @@ class BroGeneric(ObjectDescription):
 
         indextext = self.get_index_text(self.objtype, name)
         if indextext:
-            self.indexnode['entries'].append(('single', indextext,
-                                              targetname, targetname))
+            self.indexnode['entries'].append(make_index_tuple('single',
+                                             indextext, targetname,
+                                             targetname))
 
     def get_index_text(self, objectname, name):
         return _('%s (%s)') % (name, self.objtype)
@@ -120,9 +129,9 @@ class BroNamespace(BroGeneric):
             self.update_type_map(name)
 
         indextext = self.get_index_text(self.objtype, name)
-        self.indexnode['entries'].append(('single', indextext,
+        self.indexnode['entries'].append(make_index_tuple('single', indextext,
                                           targetname, targetname))
-        self.indexnode['entries'].append(('single',
+        self.indexnode['entries'].append(make_index_tuple('single',
                                           "namespaces; %s" % (sig),
                                           targetname, targetname))
 
@@ -148,7 +157,7 @@ class BroEnum(BroGeneric):
             self.update_type_map(name)
 
         indextext = self.get_index_text(self.objtype, name)
-        #self.indexnode['entries'].append(('single', indextext,
+        #self.indexnode['entries'].append(make_index_tuple('single', indextext,
         #                                  targetname, targetname))
         m = sig.split()
 
@@ -162,7 +171,7 @@ class BroEnum(BroGeneric):
                 self.env.domaindata['bro']['notices'] = []
             self.env.domaindata['bro']['notices'].append(
                                 (m[0], self.env.docname, targetname))
-        self.indexnode['entries'].append(('single',
+        self.indexnode['entries'].append(make_index_tuple('single',
                                           "%s (enum values); %s" % (m[1], m[0]),
                                           targetname, targetname))
 
@@ -204,7 +213,7 @@ class BroNotices(Index):
             entries = content.setdefault(modname, [])
             entries.append([n[0], 0, n[1], n[2], '', '', ''])
 
-        content = sorted(content.iteritems())
+        content = sorted(content.items())
 
         return content, False
 
@@ -280,5 +289,5 @@ class BroDomain(Domain):
                         'unknown target for ":bro:%s:`%s`"' % (typ, target))
 
     def get_objects(self):
-        for (typ, name), docname in self.data['objects'].iteritems():
+        for (typ, name), docname in self.data['objects'].items():
             yield name, name, typ, docname, typ + '-' + name, 1
diff --git a/doc/frameworks/logging.rst b/doc/frameworks/logging.rst
index a5128da202..bcd84dde2b 100644
--- a/doc/frameworks/logging.rst
+++ b/doc/frameworks/logging.rst
@@ -532,10 +532,5 @@ Bro supports the following additional built-in output formats:
 
    logging-input-sqlite
 
-Additional writers are available as external plugins:
-
-.. toctree::
-   :maxdepth: 1
-
-   ../components/bro-plugins/README
-
+Additional writers are available as external plugins through the `Bro
+Package Manager <https://github.com/bro/bro-plugins>`_.
diff --git a/doc/frameworks/netcontrol.rst b/doc/frameworks/netcontrol.rst
index 5dcd4eda15..aeea6a70ec 100644
--- a/doc/frameworks/netcontrol.rst
+++ b/doc/frameworks/netcontrol.rst
@@ -31,12 +31,12 @@ NetControl Architecture
     NetControl architecture (click to enlarge).
 
 The basic architecture of the NetControl framework is shown in the figure above.
-Conceptually, the NetControl framework sits inbetween the user provided scripts
+Conceptually, the NetControl framework sits between the user provided scripts
 (which use the Bro event engine) and the network device (which can either be a
 hardware or software device), that is used to implement the commands.
 
 The NetControl framework supports a number of high-level calls, like the
-:bro:see:`NetControl::drop_address` function, or lower a lower level rule
+:bro:see:`NetControl::drop_address` function, or a lower level rule
 syntax. After a rule has been added to the NetControl framework, NetControl
 sends the rule to one or several of its *backends*. Each backend is responsible
 to communicate with a single hard- or software device. The NetControl framework
@@ -90,16 +90,12 @@ high-level functions.
 
     * - :bro:see:`NetControl::drop_address`
       - Calling this function causes NetControl to block all packets involving
-        an IP address from being forwarded
+        an IP address from being forwarded.
 
     * - :bro:see:`NetControl::drop_connection`
       - Calling this function stops all packets of a specific connection
         (identified by its 5-tuple) from being forwarded.
 
-    * - :bro:see:`NetControl::drop_address`
-      - Calling this function causes NetControl to block all packets involving
-        an IP address from being forwarded
-
     * - :bro:see:`NetControl::drop_address_catch_release`
       - Calling this function causes all packets of a specific source IP to be
         blocked. This function uses catch-and-release functionality and the IP
@@ -114,7 +110,7 @@ high-level functions.
         resources by shunting flows that have been identified as being benign.
 
     * - :bro:see:`NetControl::redirect_flow`
-      - Calling this function causes NetControl to redirect an uni-directional
+      - Calling this function causes NetControl to redirect a uni-directional
         flow to another port of the networking hardware.
 
     * - :bro:see:`NetControl::quarantine_host`
@@ -122,7 +118,7 @@ high-level functions.
         traffic to a host with a special DNS server, which resolves all queries
         as pointing to itself. The quarantined host is only allowed between the
         special server, which will serve a warning message detailing the next
-        steps for the user
+        steps for the user.
 
     * - :bro:see:`NetControl::whitelist_address`
       - Calling this function causes NetControl to push a whitelist entry for an
@@ -154,7 +150,7 @@ entries, which show that the debug plugin has been initialized and added.
 Afterwards, there are two :bro:see:`NetControl::RULE` entries; the first shows
 that the addition of a rule has been requested (state is
 :bro:see:`NetControl::REQUESTED`). The following line shows that the rule was
-successfully added (the state is  :bro:see:`NetControl::SUCCEEDED`). The
+successfully added (the state is :bro:see:`NetControl::SUCCEEDED`). The
 remainder of the log line gives more information about the added rule, which in
 our case applies to a specific 5-tuple.
 
@@ -227,14 +223,14 @@ The *target* of a rule specifies if the rule is applied in the *forward path*,
 and affects packets as they are forwarded through the network, or if it affects
 the *monitor path* and only affects the packets that are sent to Bro, but not
 the packets that traverse the network. The *entity* specifies the address,
-connection, etc. that the rule applies to. In addition, each notice has a
+connection, etc. that the rule applies to. In addition, each rule has a
 *timeout* (which can be left empty), a *priority* (with higher priority rules
 overriding lower priority rules). Furthermore, a *location* string with more
 text information about each rule can be provided.
 
-There are a couple more fields that only needed for some rule types. For
+There are a couple more fields that are only needed for some rule types. For
 example, when you insert a redirect rule, you have to specify the port that
-packets should be redirected too. All these fields are shown in the
+packets should be redirected to. All these fields are shown in the
 :bro:see:`NetControl::Rule` documentation.
 
 To give an example on how to construct your own rule, we are going to write
@@ -243,7 +239,7 @@ difference between our function and the one provided by NetControl is the fact
 that the NetControl function has additional functionality, e.g. for logging.
 
 Once again, we are going to test our function with a simple example that simply
-drops all connections on the Network:
+drops all connections on the network:
 
 .. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-4-drop.bro
 
@@ -254,7 +250,7 @@ drops all connections on the Network:
 
 The last example shows that :bro:see:`NetControl::add_rule` returns a string
 identifier that is unique for each rule (uniqueness is not preserved across
-restarts or Bro). This rule id can be used to later remove rules manually using
+restarts of Bro). This rule id can be used to later remove rules manually using
 :bro:see:`NetControl::remove_rule`.
 
 Similar to :bro:see:`NetControl::add_rule`, all the high-level functions also
@@ -264,7 +260,7 @@ Interacting with Rules
 ----------------------
 
 The NetControl framework offers a number of different ways to interact with
-Rules. Before a rule is applied by the framework, a number of different hooks
+rules. Before a rule is applied by the framework, a number of different hooks
 allow you to either modify or discard rules before they are added. Furthermore,
 a number of events can be used to track the lifecycle of a rule while it is
 being managed by the NetControl framework. It is also possible to query and
@@ -276,7 +272,7 @@ Rule Policy
 The hook :bro:see:`NetControl::rule_policy` provides the mechanism for modifying
 or discarding a rule before it is sent onwards to the backends. Hooks can be
 thought of as multi-bodied functions and using them looks very similar to
-handling events. In difference to events, they are processed immediately. Like
+handling events. In contrast to events, they are processed immediately. Like
 events, hooks can have priorities to sort the order in which they are applied.
 Hooks can use the ``break`` keyword to show that processing should be aborted;
 if any :bro:see:`NetControl::rule_policy` hook uses ``break``, the rule will be
@@ -315,7 +311,7 @@ this order:
 
     * - :bro:see:`NetControl::rule_new`
       - Signals that a new rule is created by the NetControl framework due to
-        :bro:see:`NetControl::add_rule`. At this point of time, the rule has not
+        :bro:see:`NetControl::add_rule`. At this point, the rule has not
         yet been added to any backend.
 
     * - :bro:see:`NetControl::rule_added`
@@ -328,15 +324,15 @@ this order:
     * - :bro:see:`NetControl::rule_timeout`
       - Signals that a rule timeout was reached. If the hardware does not support
         automatic timeouts, the NetControl framework will automatically call
-        bro:see:`NetControl::remove_rule`.
+        :bro:see:`NetControl::remove_rule`.
 
     * - :bro:see:`NetControl::rule_removed`
       - Signals that a new rule has successfully been removed a backend.
 
     * - :bro:see:`NetControl::rule_destroyed`
       - This event is the pendant to :bro:see:`NetControl::rule_added`, and
-        reports that a rule is no longer be tracked by the NetControl framework.
-        This happens, for example, when a rule was removed from all backend.
+        reports that a rule is no longer being tracked by the NetControl framework.
+        This happens, for example, when a rule was removed from all backends.
 
     * - :bro:see:`NetControl::rule_error`
       - This event is raised whenever an error occurs during any rule operation.
@@ -385,7 +381,7 @@ NetControl also comes with a blocking function that uses an approach called
 
 Catch and release is a blocking scheme that conserves valuable rule space in
 your hardware. Instead of using long-lasting blocks, catch and release first
-only installs blocks for short amount of times (typically a few minutes). After
+only installs blocks for a short amount of time (typically a few minutes). After
 these minutes pass, the block is lifted, but the IP address is added to a
 watchlist and the IP address will immediately be re-blocked again (for a longer
 amount of time), if it is seen reappearing in any traffic, no matter if the new
@@ -397,7 +393,7 @@ addresses that only are seen once for a short time are only blocked for a few
 minutes, monitored for a while and then forgotten. IP addresses that keep
 appearing will get re-blocked for longer amounts of time.
 
-In difference to the other high-level functions that we documented so far, the
+In contrast to the other high-level functions that we documented so far, the
 catch and release functionality is much more complex and adds a number of
 different specialized functions to NetControl. The documentation for catch and
 release is contained in the file
@@ -481,7 +477,7 @@ The plugins that currently ship with NetControl are:
         plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/acld.bro`.
 
     * - PacketFilter plugin
-      - This plugin adds uses the Bro process-level packet filter (see
+      - This plugin uses the Bro process-level packet filter (see
         :bro:see:`install_src_net_filter` and
         :bro:see:`install_dst_net_filter`). Since the functionality of the
         PacketFilter is limited, this plugin is mostly for demonstration purposes. The source of this
@@ -496,7 +492,7 @@ Activating plugins
 
 In the API reference part of this document, we already used the debug plugin. To
 use the plugin, we first had to instantiate it by calling
-:bro:see:`NetControl::NetControl::create_debug` and then add it to NetControl by
+:bro:see:`NetControl::create_debug` and then add it to NetControl by
 calling :bro:see:`NetControl::activate`.
 
 As we already hinted before, NetControl supports having several plugins that are
@@ -607,7 +603,7 @@ Writing plugins
 
 In addition to using the plugins that are part of NetControl, you can write your
 own plugins to interface with hard- or software that we currently do not support
-out of the Box.
+out of the box.
 
 Creating your own plugin is easy; besides a bit of boilerplate, you only need to
 create two functions: one that is called when a rule is added, and one that is
diff --git a/doc/install/guidelines.rst b/doc/install/guidelines.rst
index a56110f865..096c95fb9e 100644
--- a/doc/install/guidelines.rst
+++ b/doc/install/guidelines.rst
@@ -10,40 +10,53 @@ there's two suggested approaches: either install Bro using the same
 installation prefix directory as before, or pick a new prefix and copy
 local customizations over.
 
-Regardless of which approach you choose, if you are using BroControl, then
-before doing the upgrade you should stop all running Bro processes with the
-"broctl stop" command.  After the upgrade is complete then you will need
-to run "broctl deploy".
-
 In the following we summarize general guidelines for upgrading, see
 the :ref:`release-notes` for version-specific information.
 
 
 Reusing Previous Install Prefix
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 If you choose to configure and install Bro with the same prefix
-directory as before, local customization and configuration to files in
-``$prefix/share/bro/site`` and ``$prefix/etc`` won't be overwritten
-(``$prefix`` indicating the root of where Bro was installed). Also, logs
-generated at run-time won't be touched by the upgrade. Backing up local
-changes before upgrading is still recommended.
+directory as before, first stop all running Bro instances in your
+cluster (if using BroControl, issue the "broctl stop" command on the
+manager host).  Next, make a backup of the Bro install prefix directory.
 
-After upgrading, remember to check ``$prefix/share/bro/site`` and
-``$prefix/etc`` for ``.example`` files, which indicate that the
-distribution's version of the file differs from the local one, and therefore,
-may include local changes.  Review the differences and make adjustments
-as necessary. Use the new version for differences that aren't a result of
-a local change.
+During the upgrade, any file in the install prefix may be
+overwritten or removed, except for local customization of
+files in the ``$prefix/share/bro/site`` and ``$prefix/etc``
+directories (``$prefix`` indicating the root
+of where Bro was installed).  Also, logs generated at run-time
+won't be touched by the upgrade.
+
+After upgrading, remember to check the ``$prefix/share/bro/site`` and
+``$prefix/etc`` directories for files with a file extension of ``.example``,
+which indicate that the distribution's version of the file differs from the
+local one, and therefore, may include local changes.  Review the
+differences and make adjustments as necessary. Use the new version
+for differences that aren't a result of a local change.
+
+Finally, if using BroControl, then issue the "broctl deploy" command.  This
+command will check for any policy script errors, install the new version
+of Bro to all machines in your cluster, and then it will start Bro.
 
 Using a New Install Prefix
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 To install the newer version in a different prefix directory than before,
-copy local customization and configuration files from ``$prefix/share/bro/site``
-and ``$prefix/etc`` to the new location (``$prefix`` indicating the root of
-where Bro was originally installed).  Review the files for differences
+first stop all running Bro instances in your cluster (if using BroControl,
+then issue a "broctl stop" command on the manager host).  Next,
+install the new version of Bro in a new directory.
+
+Next, copy local customization and configuration files
+from the ``$prefix/share/bro/site`` and ``$prefix/etc`` directories to the
+new location (``$prefix`` indicating the root of where Bro was originally
+installed).  Review the files for differences
 before copying and make adjustments as necessary (use the new version for
 differences that aren't a result of a local change).  Of particular note,
 the copied version of ``$prefix/etc/broctl.cfg`` is likely to need changes
 to any settings that specify a pathname.
+
+Finally, if using BroControl, then issue the "broctl deploy" command.  This
+command will check for any policy script errors, install the new version
+of Bro to all machines in your cluster, and then it will start Bro.
diff --git a/doc/install/install.rst b/doc/install/install.rst
index 4b1f408202..4c43ee9c73 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -31,7 +31,7 @@ before you begin:
     * BIND8 library
     * Libz
     * Bash (for BroControl)
-    * Python (for BroControl)
+    * Python 2.6 or greater (for BroControl)
 
 To build Bro from source, the following additional dependencies are required:
 
@@ -54,12 +54,18 @@ To install the required dependencies, you can use:
 
      sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel
 
+  In order to build Bro on Fedora 26, install ``compat-openssl10-devel`` instead
+  of ``openssl-devel``.
+
 * DEB/Debian-based Linux:
 
   .. console::
 
      sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
 
+  In order to build Bro on Debian 9, install ``libssl1.0-dev`` instead
+  of ``libssl-dev``.
+
 * FreeBSD:
 
   Most required dependencies should come with a minimal FreeBSD install
@@ -69,9 +75,6 @@ To install the required dependencies, you can use:
 
       sudo pkg install bash cmake swig bison python py27-sqlite3
 
-  Note that in older versions of FreeBSD, you might have to use the
-  "pkg_add -r" command instead of "pkg install".
-
   For older versions of FreeBSD (especially FreeBSD 9.x), the system compiler
   is not new enough to compile Bro. For these systems, you will have to install
   a newer compiler using pkg; the ``clang34`` package should work.
@@ -89,19 +92,23 @@ To install the required dependencies, you can use:
 
 * Mac OS X:
 
-  Compiling source code on Macs requires first installing Xcode_ (in older
-  versions of Xcode, you would then need to go through its
-  "Preferences..." -> "Downloads" menus to install the "Command Line Tools"
-  component).
+  Compiling source code on Macs requires first installing either Xcode_
+  or the "Command Line Tools" (which is a much smaller download).  To check
+  if either is installed, run the ``xcode-select -p`` command.  If you see
+  an error message, then neither is installed and you can then run
+  ``xcode-select --install`` which will prompt you to either get Xcode (by
+  clicking "Get Xcode") or to install the command line tools (by
+  clicking "Install").
 
   OS X comes with all required dependencies except for CMake_, SWIG_,
-  and OpenSSL. (OpenSSL used to be part of OS X versions 10.10
-  and older, for which it does not need to be installed manually. It
-  was removed in OS X 10.11). Distributions of these dependencies can
+  and OpenSSL (OpenSSL headers were removed in OS X 10.11, therefore OpenSSL
+  must be installed manually for OS X versions 10.11 or newer).
+  Distributions of these dependencies can
   likely be obtained from your preferred Mac OS X package management
   system (e.g. Homebrew_, MacPorts_, or Fink_). Specifically for
   Homebrew, the ``cmake``, ``swig``, and ``openssl`` packages
-  provide the required dependencies.
+  provide the required dependencies.  For MacPorts, the ``cmake``, ``swig``,
+  ``swig-python``, and ``openssl`` packages provide the required dependencies.
 
 
 Optional Dependencies
diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst
index ba9896e19d..d7e0491501 100644
--- a/doc/quickstart/index.rst
+++ b/doc/quickstart/index.rst
@@ -78,15 +78,6 @@ You can leave it running for now, but to stop this Bro instance you would do:
 
    [BroControl] > stop
 
-We also recommend to insert the following entry into the crontab of the user
-running BroControl::
-
-      0-59/5 * * * * $PREFIX/bin/broctl cron
-
-This will perform a number of regular housekeeping tasks, including
-verifying that the process is still running (and restarting if not in
-case of any abnormal termination).
-
 Browsing Log Files
 ------------------
 
@@ -232,23 +223,25 @@ That's exactly what we want to do for the first notice.  Add to ``local.bro``:
    inside the module.
 
 Then go into the BroControl shell to check whether the configuration change
-is valid before installing it and then restarting the Bro instance:
+is valid before installing it and then restarting the Bro instance.  The
+"deploy" command does all of this automatically:
 
 .. console::
 
-   [BroControl] > check
-   bro scripts are ok.
-   [BroControl] > install
-   removing old policies in /usr/local/bro/spool/policy/site ... done.
-   removing old policies in /usr/local/bro/spool/policy/auto ... done.
-   creating policy directories ... done.
-   installing site policies ... done.
-   generating standalone-layout.bro ... done.
-   generating local-networks.bro ... done.
-   generating broctl-config.bro ... done.
-   updating nodes ... done.
-   [BroControl] > restart
+   [BroControl] > deploy
+   checking configurations ...
+   installing ...
+   removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/site ...
+   removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/auto ...
+   creating policy directories ...
+   installing site policies ...
+   generating standalone-layout.bro ...
+   generating local-networks.bro ...
+   generating broctl-config.bro ...
+   generating broctl-config.sh ...
+   stopping ...
    stopping bro ...
+   starting ...
    starting bro ...
 
 Now that the SSL notice is ignored, let's look at how to send an email
@@ -281,8 +274,8 @@ connection field is in the set of watched servers.
    order to avoid ambiguity with the built-in address type's use of '.'
    in IPv4 dotted decimal representations.
 
-Remember, to finalize that configuration change perform the ``check``,
-``install``, ``restart`` commands in that order inside the BroControl shell.
+Remember, to finalize that configuration change perform the ``deploy``
+command inside the BroControl shell.
 
 Next Steps
 ----------
@@ -323,9 +316,8 @@ Analyzing live traffic from an interface is simple:
 
    bro -i en0 <list of scripts to load>
 
-``en0`` can be replaced by the interface of your choice and for the list of
-scripts, you can just use "all" for now to perform all the default analysis
-that's available.
+``en0`` can be replaced by the interface of your choice. A selection
+of common base scripts will be loaded by default.
 
 Bro will output log files into the working directory.
 
@@ -333,22 +325,6 @@ Bro will output log files into the working directory.
    capturing as an unprivileged user and checksum offloading are
    particularly relevant at this point.
 
-To use the site-specific ``local.bro`` script, just add it to the
-command-line:
-
-.. console::
-
-   bro -i en0 local
-
-This will cause Bro to print a warning about lacking the
-``Site::local_nets`` variable being configured. You can supply this
-information at the command line like this (supply your "local" subnets
-in place of the example subnets):
-
-.. console::
-
-   bro -r mypackets.trace local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }"
-
 
 Reading Packet Capture (pcap) Files
 -----------------------------------
@@ -380,7 +356,6 @@ script that we include as a suggested configuration:
 
   bro -r mypackets.trace local
 
-
 Telling Bro Which Scripts to Load
 ---------------------------------
 
@@ -388,33 +363,65 @@ A command-line invocation of Bro typically looks like:
 
 .. console::
 
-   bro <options> <policies...>
+   bro <options> <scripts...>
 
 Where the last arguments are the specific policy scripts that this Bro
 instance will load.  These arguments don't have to include the ``.bro``
-file extension, and if the corresponding script resides under the default
-installation path, ``$PREFIX/share/bro``, then it requires no path
-qualification.  Further, a directory of scripts can be specified as
-an argument to be loaded as a "package" if it contains a ``__load__.bro``
-script that defines the scripts that are part of the package.
+file extension, and if the corresponding script resides in the default
+search path, then it requires no path qualification.  The following 
+directories are included in the default search path for Bro scripts::
+   
+   ./
+   <prefix>/share/bro/
+   <prefix>/share/bro/policy/
+   <prefix>/share/bro/site/
 
-This example does all of the base analysis (primarily protocol
-logging) and adds SSL certificate validation.
+These prefix paths can be used to load scripts like this:
 
 .. console::
 
-   bro -r mypackets.trace protocols/ssl/validate-certs
+   bro -r mypackets.trace frameworks/files/extract-all
+
+This will load the 
+``<prefix>/share/bro/policy/frameworks/files/extract-all.bro`` script which will
+cause Bro to extract all of the files it discovers in the PCAP.
+
+.. note:: If one wants Bro to be able to load scripts that live outside the
+   default directories in Bro's installation root, the full path to the file(s)
+   must be provided.  See the default search path by running ``bro --help``.
 
 You might notice that a script you load from the command line uses the
 ``@load`` directive in the Bro language to declare dependence on other scripts.
 This directive is similar to the ``#include`` of C/C++, except the semantics
 are, "load this script if it hasn't already been loaded."
 
-.. note:: If one wants Bro to be able to load scripts that live outside the
-   default directories in Bro's installation root, the ``BROPATH`` environment
-   variable will need to be extended to include all the directories that need
-   to be searched for scripts.  See the default search path by doing
-   ``bro --help``.
+Further, a directory of scripts can be specified as
+an argument to be loaded as a "package" if it contains a ``__load__.bro``
+script that defines the scripts that are part of the package.
+
+Local site customization
+------------------------
+
+There is one script that is installed which is considered "local site 
+customization" and is not overwritten when upgrades take place. To use 
+the site-specific ``local.bro`` script, just add it to the command-line (can
+also be loaded through scripts with @load):
+
+.. console::
+
+   bro -i en0 local
+
+This causes Bro to load a script that prints a warning about lacking the
+``Site::local_nets`` variable being configured. You can supply this
+information at the command line like this (supply your "local" subnets
+in place of the example subnets):
+
+.. console::
+
+   bro -r mypackets.trace local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }"
+
+When running with Broctl, this value is set by configuring the ``networks.cfg``
+file.
 
 Running Bro Without Installing
 ------------------------------
diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst
index 795b33f6b8..e8550ee41c 100644
--- a/doc/script-reference/log-files.rst
+++ b/doc/script-reference/log-files.rst
@@ -76,6 +76,10 @@ Files
 +============================+=======================================+=================================+
 | files.log                  | File analysis results                 | :bro:type:`Files::Info`         |
 +----------------------------+---------------------------------------+---------------------------------+
+| ocsp.log                   | Online Certificate Status Protocol    | :bro:type:`OCSP::Info`          |
+|                            | (OCSP). Only created if policy script |                                 |
+|                            | is loaded.                            |                                 |
++----------------------------+---------------------------------------+---------------------------------+
 | pe.log                     | Portable Executable (PE)              | :bro:type:`PE::Info`            |
 +----------------------------+---------------------------------------+---------------------------------+
 | x509.log                   | X.509 certificate info                | :bro:type:`X509::Info`          |
diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt
index 6d6faf7b4a..fb20ba6fdb 100644
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -18,6 +18,10 @@ InstallPackageConfigFile(
     ${CMAKE_CURRENT_SOURCE_DIR}/site/local-manager.bro
     ${BRO_SCRIPT_INSTALL_PATH}/site
     local-manager.bro)
+InstallPackageConfigFile(
+    ${CMAKE_CURRENT_SOURCE_DIR}/site/local-logger.bro
+    ${BRO_SCRIPT_INSTALL_PATH}/site
+    local-logger.bro)
 InstallPackageConfigFile(
     ${CMAKE_CURRENT_SOURCE_DIR}/site/local-proxy.bro
     ${BRO_SCRIPT_INSTALL_PATH}/site
diff --git a/scripts/base/files/extract/main.bro b/scripts/base/files/extract/main.bro
index 7f68a8bcce..22207000bf 100644
--- a/scripts/base/files/extract/main.bro
+++ b/scripts/base/files/extract/main.bro
@@ -14,6 +14,13 @@ export {
 	redef record Files::Info += {
 		## Local filename of extracted file.
 		extracted: string &optional &log;
+
+		## Set to true if the file being extracted was cut off
+		## so the whole file was not logged.
+		extracted_cutoff: bool &optional &log;
+
+		## The number of bytes extracted to disk.
+		extracted_size: count &optional &log;
 	};
 
 	redef record Files::AnalyzerArgs += {
@@ -58,9 +65,16 @@ function on_add(f: fa_file, args: Files::AnalyzerArgs)
 
 	f$info$extracted = args$extract_filename;
 	args$extract_filename = build_path_compressed(prefix, args$extract_filename);
+	f$info$extracted_cutoff = F;
 	mkdir(prefix);
 	}
 
+event file_extraction_limit(f: fa_file, args: Files::AnalyzerArgs, limit: count, len: count) &priority=10
+	{
+	f$info$extracted_cutoff = T;
+	f$info$extracted_size = limit;
+	}
+
 event bro_init() &priority=10
 	{
 	Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add);
diff --git a/scripts/base/files/x509/README b/scripts/base/files/x509/README
index 8b50366cd2..515b0e0b1c 100644
--- a/scripts/base/files/x509/README
+++ b/scripts/base/files/x509/README
@@ -1 +1,2 @@
 Support for X509 certificates with the file analysis framework.
+Also supports parsing OCSP requests and responses.
diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index bbf99f6a4d..30f60f1362 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -10,23 +10,17 @@ export {
 	type Info: record {
 		## Current timestamp.
 		ts: time &log;
-
 		## File id of this certificate.
 		id: string &log;
-
 		## Basic information about the certificate.
 		certificate: X509::Certificate &log;
-
 		## The opaque wrapping the certificate. Mainly used
 		## for the verify operations.
 		handle: opaque of x509;
-
 		## All extensions that were encountered in the certificate.
 		extensions: vector of X509::Extension &default=vector();
-
 		## Subject alternative name extension of the certificate.
 		san: X509::SubjectAlternativeName &optional &log;
-
 		## Basic constraints extension of the certificate.
 		basic_constraints: X509::BasicConstraints &optional &log;
 	};
@@ -38,6 +32,24 @@ export {
 event bro_init() &priority=5
 	{
 	Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]);
+
+	# We use MIME types internally to distinguish between user and CA certificates.
+	# The first certificate in a connection always gets tagged as user-cert, all
+	# following certificates get tagged as CA certificates. Certificates gotten via
+	# other means (e.g. identified from HTTP traffic when they are transfered in plain
+	# text) get tagged as application/pkix-cert.
+	Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert");
+	Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert");
+	Files::register_for_mime_type(Files::ANALYZER_X509, "application/pkix-cert");
+
+	# Always calculate hashes. They are not necessary for base scripts
+	# but very useful for identification, and required for policy scripts
+	Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-user-cert");
+	Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-ca-cert");
+	Files::register_for_mime_type(Files::ANALYZER_MD5, "application/pkix-cert");
+	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert");
+	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert");
+	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/pkix-cert");
 	}
 
 redef record Files::Info += {
@@ -48,9 +60,6 @@ redef record Files::Info += {
 
 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
 	{
-	if ( ! f$info?$mime_type )
-		f$info$mime_type = "application/pkix-cert";
-
 	f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
 	}
 
diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro
index 0818855d8f..835a9ed796 100644
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@@ -14,6 +14,7 @@ module Broker;
 export {
 
 	## A name used to identify this endpoint to peers.
+	##
 	## .. bro:see:: Broker::connect Broker::listen
 	const endpoint_name = "" &redef;
 
diff --git a/scripts/base/frameworks/files/magic/font.sig b/scripts/base/frameworks/files/magic/font.sig
index 8f2857f6e3..809a4fc1e0 100644
--- a/scripts/base/frameworks/files/magic/font.sig
+++ b/scripts/base/frameworks/files/magic/font.sig
@@ -1,8 +1,14 @@
 
+# Web Open Font Format 2
+signature file-woff2 {
+	file-mime "application/font-woff2", 70
+	file-magic /^wOF2/
+}
+
 # Web Open Font Format
 signature file-woff {
-	file-magic /^wOFF/
 	file-mime "application/font-woff", 70
+	file-magic /^wOFF/
 }
 
 # TrueType font
diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index 1703790037..23b1c1d074 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -116,7 +116,7 @@ signature file-reg-utf16 {
 
 # Microsoft Registry format (typically DESKTOP.DAT)
 signature file-regf {
-	file-mime "application vnd.ms-regf", 49
+	file-mime "application/vnd.ms-regf", 49
 	file-magic /^\x72\x65\x67\x66/
 }
 
@@ -292,6 +292,104 @@ signature file-skp {
 	file-mime "application/skp", 100
 }
 
+# Microsoft DirectDraw Surface
+signature file-msdds {
+	file-mime "application/x-ms-dds", 100
+	file-magic /^DDS/
+}
+
+# bsdiff output
+signature file-bsdiff {
+	file-mime "application/bsdiff", 100
+	file-magic /^BSDIFF/
+}
+
+# AV Update binary diffs (mostly kaspersky)
+#     inferred from traffic analysis
+signature file-binarydiff {
+	file-mime "application/bindiff", 100
+	file-magic /^DIFF/
+}
+
+# Kaspersky Database
+#    inferred from traffic analysis
+signature file-kaspdb {
+	file-mime "application/x-kaspavdb", 100
+	file-magic /^KLZF/
+}
+
+# Kaspersky AV Database diff
+#     inferred from traffic analysis
+signature file-kaspdbdif {
+	file-mime "application/x-kaspavupdate", 100
+	file-magic /^KLD2/
+}
+
+# MSSQL Backups
+signature file-mssqlbak {
+	file-mime "application/mssql-bak", 100
+	file-magic /^MSSQLBAK/
+}
+
+# Microsoft Tape Format
+# MSSQL transaction log
+signature file-ms-tf {
+	file-mime "application/mtf", 100
+	file-magic /^TAPE/
+}
+
+# Binary property list (Apple)
+signature file-bplist {
+	file-mime "application/bplist", 100
+	file-magic /^bplist0?/
+}
+
+# Microsoft Compiled HTML Help File
+signature file-mshelp {
+	file-mime "application/mshelp", 100
+	file-magic /^ITSF/
+}
+
+# Blizzard game file MPQ Format
+signature file-mpqgame {
+	file-mime "application/x-game-mpq", 100
+	file-magic /^MPQ\x1a/
+}
+
+# Blizzard CASC Format game file 
+signature file-blizgame {
+	file-mime "application/x-blizgame", 100
+	file-magic /^BLTE/
+}
+
+# iOS Mapkit tiles
+# inferred from traffic analysis
+signature file-mapkit-tile {
+	file-mime "application/map-tile", 100
+	file-magic /^VMP4/
+}
+
+# Google Chrome Extension file
+signature file-chrome-extension {
+	file-mime "application/chrome-ext", 100
+	file-magic /^Cr24/
+}
+
+# Google Chrome Extension Update Delta
+# not 100% sure about this identification
+# this may be google chrome updates, not extensions
+signature file-chrome-extension-update {
+	file-mime "application/chrome-ext-upd", 70
+	file-magic /^CrOD/
+}
+
+# Microsoft Message Queueing
+# .net related
+signature file-msqm {
+	file-mime "application/msqm", 100
+	file-magic /^MSQM/
+}
+
 signature file-elf-object {
 	file-mime "application/x-object", 50
 	file-magic /\x7fELF[\x01\x02](\x01.{10}\x01\x00|\x02.{10}\x00\x01)/
@@ -310,4 +408,9 @@ signature file-elf-sharedlib {
 signature file-elf-coredump {
 	file-mime "application/x-coredump", 50
 	file-magic /\x7fELF[\x01\x02](\x01.{10}\x04\x00|\x02.{10}\x00\x04)/
-}
\ No newline at end of file
+}
+
+signature file-vim-tmp {
+	file-mime "application/x-vim-tmp", 100
+	file-magic /^b0VIM/
+}
diff --git a/scripts/base/frameworks/files/magic/image.sig b/scripts/base/frameworks/files/magic/image.sig
index c6c0d13a50..03563f7897 100644
--- a/scripts/base/frameworks/files/magic/image.sig
+++ b/scripts/base/frameworks/files/magic/image.sig
@@ -164,3 +164,9 @@ signature file-award-bios-logo {
 	file-mime "image/x-award-bioslogo", 50
 	file-magic /^\x11[\x06\x09]/
 }
+
+# WebP, lossy image format from Google
+signature file-webp {
+	file-mime "image/webp", 70
+	file-magic /^RIFF.{4}WEBP/
+}
diff --git a/scripts/base/frameworks/files/magic/msoffice.sig b/scripts/base/frameworks/files/magic/msoffice.sig
index 7ae866a088..1c979b62bd 100644
--- a/scripts/base/frameworks/files/magic/msoffice.sig
+++ b/scripts/base/frameworks/files/magic/msoffice.sig
@@ -18,7 +18,7 @@ signature file-docx {
 }
 
 signature file-xlsx {
-	file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|xl\2f).*PK\x03\x04.{26}xl\x2f/
+	file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|xl\x2f).*PK\x03\x04.{26}xl\x2f/
 	file-mime "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", 80
 }
 
diff --git a/scripts/base/frameworks/input/readers/ascii.bro b/scripts/base/frameworks/input/readers/ascii.bro
index 1b486ddba0..1d4072e118 100644
--- a/scripts/base/frameworks/input/readers/ascii.bro
+++ b/scripts/base/frameworks/input/readers/ascii.bro
@@ -18,4 +18,33 @@ export {
 
 	## String to use for an unset &optional field.
 	const unset_field = Input::unset_field &redef;
+
+	## Fail on invalid lines. If set to false, the ascii
+	## input reader will jump over invalid lines, reporting
+	## warnings in reporter.log. If set to true, errors in
+	## input lines will be handled as fatal errors for the
+	## reader thread; reading will abort immediately and
+	## an error will be logged to reporter.log.
+	## Individual readers can use a different value using
+	## the $config table.
+	## fail_on_invalid_lines = T was the default behavior
+	## until Bro 2.6.
+	const fail_on_invalid_lines = F &redef;
+
+	## Fail on file read problems. If set to true, the ascii
+	## input reader will fail when encountering any problems
+	## while reading a file different from invalid lines.
+	## Examples of such problems are permission problems, or
+	## missing files.
+	## When set to false, these problems will be ignored. This
+	## has an especially big effect for the REREAD mode, which will
+	## seamlessly recover from read errors when a file is
+	## only temporarily inaccessible. For MANUAL or STREAM files,
+	## errors will most likely still be fatal since no automatic
+	## re-reading of the file is attempted.
+	## Individual readers can use a different value using
+	## the $config table.
+	## fail_on_file_problem = T was the default behavior
+	## until Bro 2.6.
+	const fail_on_file_problem = F &redef;
 }
diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.bro
index 0727fb6746..820a5497a2 100644
--- a/scripts/base/frameworks/intel/cluster.bro
+++ b/scripts/base/frameworks/intel/cluster.bro
@@ -12,7 +12,7 @@ redef record Item += {
 	first_dispatch: bool &default=T;
 };
 
-# If this process is not a manager process, we don't want the full metadata
+# If this process is not a manager process, we don't want the full metadata.
 @if ( Cluster::local_node_type() != Cluster::MANAGER )
 redef have_full_data = F;
 @endif
@@ -20,7 +20,7 @@ redef have_full_data = F;
 # Internal event for cluster data distribution.
 global cluster_new_item: event(item: Item);
 
-# Primary intelligence management is done by the manager:
+# Primary intelligence management is done by the manager.
 # The manager informs the workers about new items and item removal.
 redef Cluster::manager2worker_events += /^Intel::(cluster_new_item|purge_item)$/;
 # A worker queries the manager to insert, remove or indicate the match of an item.
diff --git a/scripts/base/frameworks/intel/files.bro b/scripts/base/frameworks/intel/files.bro
index 454f63352c..74fd156520 100644
--- a/scripts/base/frameworks/intel/files.bro
+++ b/scripts/base/frameworks/intel/files.bro
@@ -1,5 +1,5 @@
 ##! File analysis framework integration for the intelligence framework. This
-##! script manages file information in intelligence framework datastructures.
+##! script manages file information in intelligence framework data structures.
 
 @load ./main
 
diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro
index a9128d62f2..30f9a6bf75 100644
--- a/scripts/base/frameworks/intel/main.bro
+++ b/scripts/base/frameworks/intel/main.bro
@@ -1,6 +1,7 @@
-##! The intelligence framework provides a way to store and query intelligence data
-##! (e.g. IP addresses, URLs and hashes). The intelligence items can be associated
-##! with metadata to allow informed decisions about matching and handling.
+##! The intelligence framework provides a way to store and query intelligence
+##! data (e.g. IP addresses, URLs and hashes). The intelligence items can be
+##! associated with metadata to allow informed decisions about matching and
+##! handling.
 
 @load base/frameworks/notice
 
@@ -406,7 +407,11 @@ function insert(item: Item)
 			if ( host !in data_store$host_data )
 				data_store$host_data[host] = table();
 			else
+				{
 				is_new = F;
+				# Reset expiration timer.
+				data_store$host_data[host] = data_store$host_data[host];
+				}
 
 			meta_tbl = data_store$host_data[host];
 			}
@@ -421,7 +426,11 @@ function insert(item: Item)
 			if ( !check_subnet(net, data_store$subnet_data) )
 				data_store$subnet_data[net] = table();
 			else
+				{
 				is_new = F;
+				# Reset expiration timer.
+				data_store$subnet_data[net] = data_store$subnet_data[net];
+				}
 
 			meta_tbl = data_store$subnet_data[net];
 			}
@@ -435,7 +444,12 @@ function insert(item: Item)
 			if ( [lower_indicator, item$indicator_type] !in data_store$string_data )
 				data_store$string_data[lower_indicator, item$indicator_type] = table();
 			else
+				{
 				is_new = F;
+				# Reset expiration timer.
+				data_store$string_data[lower_indicator, item$indicator_type] =
+					data_store$string_data[lower_indicator, item$indicator_type];
+				}
 
 			meta_tbl = data_store$string_data[lower_indicator, item$indicator_type];
 			}
diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro
index 6741147834..998a0e0f6c 100644
--- a/scripts/base/frameworks/logging/main.bro
+++ b/scripts/base/frameworks/logging/main.bro
@@ -79,7 +79,7 @@ export {
 
 	## Information passed into rotation callback functions.
 	type RotationInfo: record {
-		writer: Writer;		##< The :bro:type:`Log::Writer` being used.
+		writer: Writer;		##< The log writer being used.
 		fname: string;		##< Full name of the rotated file.
 		path: string;		##< Original path value.
 		open: time;		##< Time when opened.
@@ -131,7 +131,7 @@ export {
 	## Default log extension function in the case that you would like to
 	## apply the same extensions to all logs.  The function *must* return
 	## a record with all of the fields to be included in the log. The
-	## default function included here does not return a value to indicate
+	## default function included here does not return a value, which indicates
 	## that no extensions are added.
 	const Log::default_ext_func: function(path: string): any =
 		function(path: string) { } &redef;
@@ -348,7 +348,7 @@ export {
 	##          to handle, or one of the stream's filters has an invalid
 	##          ``path_func``.
 	##
-	## .. bro:see: Log::enable_stream Log::disable_stream
+	## .. bro:see:: Log::enable_stream Log::disable_stream
 	global write: function(id: ID, columns: any) : bool;
 
 	## Sets the buffering status for all the writers of a given logging stream.
diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro
index c10c86145e..bbf11c26e7 100644
--- a/scripts/base/frameworks/logging/writers/ascii.bro
+++ b/scripts/base/frameworks/logging/writers/ascii.bro
@@ -26,6 +26,13 @@ export {
 	## This option is also available as a per-filter ``$config`` option.
 	const use_json = F &redef;
 
+	## Define the gzip level to compress the logs.  If 0, then no gzip
+	## compression is performed. Enabling compression also changes
+	## the log file name extension to include ".gz".
+	##
+	## This option is also available as a per-filter ``$config`` option.
+	const gzip_level = 0 &redef;
+
 	## Format of timestamps when writing out JSON. By default, the JSON
 	## formatter will use double values for timestamps which represent the
 	## number of seconds from the UNIX epoch.
diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.bro b/scripts/base/frameworks/netcontrol/catch-and-release.bro
index f5fd38b2e3..2d28274f77 100644
--- a/scripts/base/frameworks/netcontrol/catch-and-release.bro
+++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro
@@ -10,39 +10,39 @@ export {
 
 	redef enum Log::ID += { CATCH_RELEASE };
 
-	## Thhis record is used is used for storing information about current blocks that are
+	## This record is used for storing information about current blocks that are
 	## part of catch and release.
 	type BlockInfo: record {
-		## Absolute time indicating until when a block is inserted using NetControl
+		## Absolute time indicating until when a block is inserted using NetControl.
 		block_until: time &optional;
-		## Absolute time indicating until when an IP address is watched to reblock it
+		## Absolute time indicating until when an IP address is watched to reblock it.
 		watch_until: time;
-		## Number of times an IP address was reblocked
+		## Number of times an IP address was reblocked.
 		num_reblocked: count &default=0;
-		## Number indicating at which catch and release interval we currently are
+		## Number indicating at which catch and release interval we currently are.
 		current_interval: count;
 		## ID of the inserted block, if any.
 		current_block_id: string;
-		## User specified string
+		## User specified string.
 		location: string &optional;
 	};
 
 	## The enum that contains the different kinds of messages that are logged by
-	## catch and release
+	## catch and release.
 	type CatchReleaseActions: enum {
-		## Log lines marked with info are purely informational; no action was taken
+		## Log lines marked with info are purely informational; no action was taken.
 		INFO,
 		## A rule for the specified IP address already existed in NetControl (outside
 		## of catch-and-release). Catch and release did not add a new rule, but is now
-		## watching the IP address and will add a new rule after the current rule expired.
+		## watching the IP address and will add a new rule after the current rule expires.
 		ADDED,
-		## A drop was requested by catch and release
+		## A drop was requested by catch and release.
 		DROP,
-		## A address was succesfully blocked by catch and release
+		## An address was successfully blocked by catch and release.
 		DROPPED,
-		## An address was unblocked after the timeout expired
+		## An address was unblocked after the timeout expired.
 		UNBLOCK,
-		## An address was forgotten because it did not reappear within the `watch_until` interval
+		## An address was forgotten because it did not reappear within the `watch_until` interval.
 		FORGOTTEN,
 		## A watched IP address was seen again; catch and release will re-block it.
 		SEEN_AGAIN
@@ -52,7 +52,7 @@ export {
 	type CatchReleaseInfo: record {
 		## The absolute time indicating when the action for this log-line occured.
 		ts: time &log;
-		## The rule id that this log lone refers to.
+		## The rule id that this log line refers to.
 		rule_id: string &log &optional;
 		## The IP address that this line refers to.
 		ip: addr &log;
@@ -85,7 +85,7 @@ export {
 	##
 	## a: The address to be dropped.
 	##
-	## t: How long to drop it, with 0 being indefinitly.
+	## t: How long to drop it, with 0 being indefinitely.
 	##
 	## location: An optional string describing where the drop was triggered.
 	##
@@ -101,17 +101,17 @@ export {
 	##
 	## a: The address to be unblocked.
 	##
-	## reason: A reason for the unblock
+	## reason: A reason for the unblock.
 	##
 	## Returns: True if the address was unblocked.
 	global unblock_address_catch_release: function(a: addr, reason: string &default="") : bool;
 
-	## This function can be called to notify the cach and release script that activity by
+	## This function can be called to notify the catch and release script that activity by
 	## an IP address was seen. If the respective IP address is currently monitored by catch and
-	## release and not blocked, the block will be re-instated. See the documentation of watch_new_connection
+	## release and not blocked, the block will be reinstated. See the documentation of watch_new_connection
 	## which events the catch and release functionality usually monitors for activity.
 	##
-	## a: The address that was seen and should be re-dropped if it is being watched
+	## a: The address that was seen and should be re-dropped if it is being watched.
 	global catch_release_seen: function(a: addr);
 
 	## Get the :bro:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release.
@@ -144,7 +144,7 @@ export {
 	## should have been blocked.
 	const catch_release_warn_blocked_ip_encountered = F &redef;
 
-	## Time intervals for which a subsequent drops of the same IP take
+	## Time intervals for which subsequent drops of the same IP take
 	## effect.
 	const catch_release_intervals: vector of interval = vector(10min, 1hr, 24hrs, 7days) &redef;
 
@@ -160,7 +160,7 @@ export {
 	global catch_release_encountered: event(a: addr);
 }
 
-# set that is used to only send seen notifications to the master every ~30 seconds.
+# Set that is used to only send seen notifications to the master every ~30 seconds.
 global catch_release_recently_notified: set[addr] &create_expire=30secs;
 
 event bro_init() &priority=5
diff --git a/scripts/base/frameworks/netcontrol/cluster.bro b/scripts/base/frameworks/netcontrol/cluster.bro
index 5b71e40659..9abe44b34d 100644
--- a/scripts/base/frameworks/netcontrol/cluster.bro
+++ b/scripts/base/frameworks/netcontrol/cluster.bro
@@ -23,7 +23,7 @@ redef Cluster::manager2worker_events += /NetControl::rule_(added|removed|timeout
 
 function activate(p: PluginState, priority: int)
 	{
-	# we only run the activate function on the manager.
+	# We only run the activate function on the manager.
 	if ( Cluster::local_node_type() != Cluster::MANAGER )
 		return;
 
@@ -38,8 +38,8 @@ function add_rule(r: Rule) : string
 		return add_rule_impl(r);
 	else
 		{
-		# we sync rule entities accross the cluster, so we
-		# acually can test if the rule already exists. If yes,
+		# We sync rule entities accross the cluster, so we
+		# actually can test if the rule already exists. If yes,
 		# refuse insertion already at the node.
 
 		if ( [r$entity, r$ty] in rule_entities )
diff --git a/scripts/base/frameworks/netcontrol/drop.bro b/scripts/base/frameworks/netcontrol/drop.bro
index 8209df2f51..8b31996057 100644
--- a/scripts/base/frameworks/netcontrol/drop.bro
+++ b/scripts/base/frameworks/netcontrol/drop.bro
@@ -11,34 +11,34 @@ export {
 	##
 	## a: The address to be dropped.
 	##
-	## t: How long to drop it, with 0 being indefinitly.
+	## t: How long to drop it, with 0 being indefinitely.
 	##
 	## location: An optional string describing where the drop was triggered.
 	##
-	## Returns: The id of the inserted rule on succes and zero on failure.
+	## Returns: The id of the inserted rule on success and zero on failure.
 	global drop_address: function(a: addr, t: interval, location: string &default="") : string;
 
-	## Stops all packets involving an connection address from being forwarded.
+	## Stops all packets involving a connection address from being forwarded.
 	##
 	## c: The connection to be dropped.
 	##
-	## t: How long to drop it, with 0 being indefinitly.
+	## t: How long to drop it, with 0 being indefinitely.
 	##
 	## location: An optional string describing where the drop was triggered.
 	##
-	## Returns: The id of the inserted rule on succes and zero on failure.
+	## Returns: The id of the inserted rule on success and zero on failure.
 	global drop_connection: function(c: conn_id, t: interval, location: string &default="") : string;
 
 	type DropInfo: record {
 		## Time at which the recorded activity occurred.
 		ts: time		&log;
-		## ID of the rule; unique during each Bro run
+		## ID of the rule; unique during each Bro run.
 		rule_id: string  &log;
 		orig_h: addr 	&log;	##< The originator's IP address.
 		orig_p: port 	&log &optional;	##< The originator's port number.
 		resp_h: addr	&log &optional;	##< The responder's IP address.
 		resp_p: port	&log &optional;	##< The responder's port number.
-		## Expiry time of the shunt
+		## Expiry time of the shunt.
 		expire: interval &log;
 		## Location where the underlying action was triggered.
 		location: string	&log &optional;
@@ -47,7 +47,7 @@ export {
 	## Hook that allows the modification of rules passed to drop_* before they
 	## are passed on. If one of the hooks uses break, the rule is ignored.
 	##
-	## r: The rule to be added
+	## r: The rule to be added.
 	global NetControl::drop_rule_policy: hook(r: Rule);
 
 	## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
diff --git a/scripts/base/frameworks/netcontrol/main.bro b/scripts/base/frameworks/netcontrol/main.bro
index 0e5d0cf7be..3e9b35fa8c 100644
--- a/scripts/base/frameworks/netcontrol/main.bro
+++ b/scripts/base/frameworks/netcontrol/main.bro
@@ -7,7 +7,7 @@
 ##! restrictions on entities, such as specific connections or IP addresses.
 ##!
 ##! This framework has two APIs: a high-level and low-level. The high-level API
-##! provides convinience functions for a set of common operations. The
+##! provides convenience functions for a set of common operations. The
 ##! low-level API provides full flexibility.
 
 module NetControl;
@@ -25,7 +25,7 @@ export {
 
 	## Activates a plugin.
 	##
-	## p: The plugin to acticate.
+	## p: The plugin to activate.
 	##
 	## priority: The higher the priority, the earlier this plugin will be checked
 	##           whether it supports an operation, relative to other plugins.
@@ -48,37 +48,37 @@ export {
 
 	## Allows all traffic involving a specific IP address to be forwarded.
 	##
-	## a: The address to be whitelistet.
+	## a: The address to be whitelisted.
 	##
-	## t: How long to whitelist it, with 0 being indefinitly.
+	## t: How long to whitelist it, with 0 being indefinitely.
 	##
 	## location: An optional string describing whitelist was triddered.
 	##
-	## Returns: The id of the inserted rule on succes and zero on failure.
+	## Returns: The id of the inserted rule on success and zero on failure.
 	global whitelist_address: function(a: addr, t: interval, location: string &default="") : string;
 
 	## Allows all traffic involving a specific IP subnet to be forwarded.
 	##
-	## s: The subnet to be whitelistet.
+	## s: The subnet to be whitelisted.
 	##
-	## t: How long to whitelist it, with 0 being indefinitly.
+	## t: How long to whitelist it, with 0 being indefinitely.
 	##
 	## location: An optional string describing whitelist was triddered.
 	##
-	## Returns: The id of the inserted rule on succes and zero on failure.
+	## Returns: The id of the inserted rule on success and zero on failure.
 	global whitelist_subnet: function(s: subnet, t: interval, location: string &default="") : string;
 
-	## Redirects an uni-directional flow to another port.
+	## Redirects a uni-directional flow to another port.
 	##
 	## f: The flow to redirect.
 	##
-	## out_port: Port to redirect the flow to
+	## out_port: Port to redirect the flow to.
 	##
-	## t: How long to leave the redirect in place, with 0 being indefinitly.
+	## t: How long to leave the redirect in place, with 0 being indefinitely.
 	##
 	## location: An optional string describing where the redirect was triggered.
 	##
-	## Returns: The id of the inserted rule on succes and zero on failure.
+	## Returns: The id of the inserted rule on success and zero on failure.
 	global redirect_flow: function(f: flow_id, out_port: count, t: interval, location: string &default="") : string;
 
 	## Quarantines a host. This requires a special quarantine server, which runs a HTTP server explaining
@@ -87,13 +87,13 @@ export {
 	## instead. Only http communication infected to quarantinehost is allowed. All other network communication
 	## is blocked.
 	##
-	## infected: the host to quarantine
+	## infected: the host to quarantine.
 	##
-	## dns: the network dns server
+	## dns: the network dns server.
 	##
-	## quarantine: the quarantine server running a dns and a web server
+	## quarantine: the quarantine server running a dns and a web server.
 	##
-	## t: how long to leave the quarantine in place
+	## t: how long to leave the quarantine in place.
 	##
 	## Returns: Vector of inserted rules on success, empty list on failure.
 	global quarantine_host: function(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string;
@@ -111,7 +111,7 @@ export {
 	##
 	## r: The rule to install.
 	##
-	## Returns: If succesful, returns an ID string unique to the rule that can
+	## Returns: If successful, returns an ID string unique to the rule that can
 	##          later be used to refer to it. If unsuccessful, returns an empty
 	##          string. The ID is also assigned to ``r$id``. Note that
 	##          "successful" means "a plugin knew how to handle the rule", it
@@ -126,19 +126,19 @@ export {
 	##
 	## reason: Optional string argument giving information on why the rule was removed.
 	##
-	## Returns: True if succesful, the relevant plugin indicated that it knew
+	## Returns: True if successful, the relevant plugin indicated that it knew
 	##          how to handle the removal. Note that again "success" means the
-	##          plugin accepted the removal. They might still fail to put it
+	##          plugin accepted the removal. It might still fail to put it
 	##          into effect, as that might happen asynchronously and thus go
 	##          wrong at that point.
 	global remove_rule: function(id: string, reason: string &default="") : bool;
 
-	## Deletes a rule without removing in from the backends to which it has been
-	## added before. This mean that no messages will be sent to the switches to which
+	## Deletes a rule without removing it from the backends to which it has been
+	## added before. This means that no messages will be sent to the switches to which
 	## the rule has been added; if it is not removed from them by a separate mechanism,
 	## it will stay installed and not be removed later.
 	##
-	## id: The rule to delete, specified as the ID returned by :bro:see:`add_rule` .
+	## id: The rule to delete, specified as the ID returned by :bro:see:`NetControl::add_rule`.
 	##
 	## reason: Optional string argument giving information on why the rule was deleted.
 	##
@@ -152,9 +152,9 @@ export {
 	## the worker, the internal rule variables (starting with _) will not reflect the
 	## current state.
 	##
-	## ip: The ip address to search for
+	## ip: The ip address to search for.
 	##
-	## Returns: vector of all rules affecting the IP address
+	## Returns: vector of all rules affecting the IP address.
 	global find_rules_addr: function(ip: addr) : vector of Rule;
 
 	## Searches all rules affecting a certain subnet.
@@ -171,9 +171,9 @@ export {
 	## the worker, the internal rule variables (starting with _) will not reflect the
 	## current state.
 	##
-	## sn: The subnet to search for
+	## sn: The subnet to search for.
 	##
-	## Returns: vector of all rules affecting the subnet
+	## Returns: vector of all rules affecting the subnet.
 	global find_rules_subnet: function(sn: subnet) : vector of Rule;
 
 	###### Asynchronous feedback on rules.
@@ -201,7 +201,7 @@ export {
 	global rule_exists: event(r: Rule, p: PluginState, msg: string &default="");
 
 	## Reports that a plugin reports a rule was removed due to a
-	## remove: function() vall.
+	## remove_rule function call.
 	##
 	## r: The rule now removed.
 	##
@@ -234,9 +234,9 @@ export {
 
 	## This event is raised when a new rule is created by the NetControl framework
 	## due to a call to add_rule. From this moment, until the rule_destroyed event
-	## is raised, the rule is tracked internally by the NetControl framewory.
+	## is raised, the rule is tracked internally by the NetControl framework.
 	##
-	## Note that this event does not mean that a rule was succesfully added by
+	## Note that this event does not mean that a rule was successfully added by
 	## any backend; it just means that the rule has been accepted and addition
 	## to the specified backend is queued. To get information when rules are actually
 	## installed by the hardware, use the rule_added, rule_exists, rule_removed, rule_timeout
@@ -248,15 +248,15 @@ export {
 	## was removed by all plugins to which it was added, by the fact that it timed out
 	## or due to rule errors.
 	##
-	## To get the cause or a rule remove, hook the rule_removed, rule_timeout and
-	## rule_error calls.
+	## To get the cause of a rule remove, catch the rule_removed, rule_timeout and
+	## rule_error events.
 	global rule_destroyed: event(r: Rule);
 
 	## Hook that allows the modification of rules passed to add_rule before they
 	## are passed on to the plugins. If one of the hooks uses break, the rule is
 	## ignored and not passed on to any plugin.
 	##
-	## r: The rule to be added
+	## r: The rule to be added.
 	global NetControl::rule_policy: hook(r: Rule);
 
 	##### Plugin functions
@@ -279,19 +279,19 @@ export {
 
 	## State of an entry in the NetControl log.
 	type InfoState: enum {
-		REQUESTED, ##< The request to add/remove a rule was sent to the respective backend
-		SUCCEEDED, ##< A rule was succesfully added by a backend
-		EXISTS, ##< A backend reported that a rule was already existing
-		FAILED, ##< A rule addition failed
-		REMOVED, ##< A rule was succesfully removed by a backend
-		TIMEOUT, ##< A rule timeout was triggered by the NetControl framework or a backend
+		REQUESTED, ##< The request to add/remove a rule was sent to the respective backend.
+		SUCCEEDED, ##< A rule was successfully added by a backend.
+		EXISTS, ##< A backend reported that a rule was already existing.
+		FAILED, ##< A rule addition failed.
+		REMOVED, ##< A rule was successfully removed by a backend.
+		TIMEOUT, ##< A rule timeout was triggered by the NetControl framework or a backend.
 	};
 
 	## The record type defining the column fields of the NetControl log.
 	type Info: record {
 		## Time at which the recorded activity occurred.
 		ts: time		&log;
-		## ID of the rule; unique during each Bro run
+		## ID of the rule; unique during each Bro run.
 		rule_id: string  &log &optional;
 		## Type of the log entry.
 		category: InfoCategory	&log &optional;
@@ -311,9 +311,9 @@ export {
 		mod: string		&log &optional;
 		## String with an additional message.
 		msg: string		&log &optional;
-		## Number describing the priority of the log entry
+		## Number describing the priority of the log entry.
 		priority: int &log &optional;
-		## Expiry time of the log entry
+		## Expiry time of the log entry.
 		expire: interval &log &optional;
 		## Location where the underlying action was triggered.
 		location: string	&log &optional;
@@ -333,7 +333,7 @@ redef record Rule += {
 	_active_plugin_ids: set[count] &default=count_set();
 	## Internally set to plugins where the rule should not be removed upon timeout.
 	_no_expire_plugins: set[count] &default=count_set();
-	## Track if the rule was added succesfully by all responsible plugins.
+	## Track if the rule was added successfully by all responsible plugins.
 	_added: bool &default=F;
 };
 
diff --git a/scripts/base/frameworks/netcontrol/plugin.bro b/scripts/base/frameworks/netcontrol/plugin.bro
index 36fa25a8f0..2b432e7597 100644
--- a/scripts/base/frameworks/netcontrol/plugin.bro
+++ b/scripts/base/frameworks/netcontrol/plugin.bro
@@ -9,7 +9,7 @@ export {
 	##
 	## Individual plugins commonly extend this record to suit their needs.
 	type PluginState: record {
-		## Table for a plugin to store custom, instance-specfific state. 
+		## Table for a plugin to store custom, instance-specific state.
 		config: table[string] of string &default=table();
 
 		## Unique plugin identifier -- used for backlookup of plugins from Rules. Set internally.
@@ -18,14 +18,14 @@ export {
 		## Set internally.
 		_priority: int &default=+0;
 
-		## Set internally. Signifies if the plugin has returned that it has activated succesfully
+		## Set internally. Signifies if the plugin has returned that it has activated successfully.
 		_activated: bool &default=F;
 	};
 
 	## Definition of a plugin.
 	##
 	## Generally a plugin needs to implement only what it can support.  By
-	## returning failure, it indicates that it can't support something and the
+	## returning failure, it indicates that it can't support something and
 	## the framework will then try another plugin, if available; or inform the
 	## that the operation failed. If a function isn't implemented by a plugin,
 	## that's considered an implicit failure to support the operation.
@@ -33,7 +33,7 @@ export {
 	## If plugin accepts a rule operation, it *must* generate one of the reporting
 	## events ``rule_{added,remove,error}`` to signal if it indeed worked out;
 	## this is separate from accepting the operation because often a plugin
-	## will only know later (i.e., asynchrously) if that was an error for
+	## will only know later (i.e., asynchronously) if that was an error for
 	## something it thought it could handle.
 	type Plugin: record {
 		## Returns a descriptive name of the plugin instance, suitable for use in logging
@@ -64,7 +64,7 @@ export {
 		add_rule: function(state: PluginState, r: Rule) : bool &optional;
 
 		## Implements the remove_rule() operation. This will only be called for
-		## rules that the plugins has previously accepted with add_rule(). The
+		## rules that the plugin has previously accepted with add_rule(). The
 		## ``id`` field will match that of the add_rule() call.  Generally,
 		## a plugin that accepts an add_rule() should also accept the
 		## remove_rule().
diff --git a/scripts/base/frameworks/netcontrol/plugins/README b/scripts/base/frameworks/netcontrol/plugins/README
index 12af1779c9..5823252cb3 100644
--- a/scripts/base/frameworks/netcontrol/plugins/README
+++ b/scripts/base/frameworks/netcontrol/plugins/README
@@ -1 +1 @@
-Plugins for the NetControl framework
+Plugins for the NetControl framework.
diff --git a/scripts/base/frameworks/netcontrol/plugins/acld.bro b/scripts/base/frameworks/netcontrol/plugins/acld.bro
index 5f729c284f..2c4760e066 100644
--- a/scripts/base/frameworks/netcontrol/plugins/acld.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/acld.bro
@@ -17,24 +17,24 @@ export {
 	};
 
 	type AcldConfig: record {
-		## The acld topic used to send events to
+		## The acld topic to send events to.
 		acld_topic: string;
-		## Broker host to connect to
+		## Broker host to connect to.
 		acld_host: addr;
-		## Broker port to connect to
+		## Broker port to connect to.
 		acld_port: port;
-		## Do we accept rules for the monitor path? Default false
+		## Do we accept rules for the monitor path? Default false.
 		monitor: bool &default=F;
-		## Do we accept rules for the forward path? Default true
+		## Do we accept rules for the forward path? Default true.
 		forward: bool &default=T;
 
 		## Predicate that is called on rule insertion or removal.
 		##
-		## p: Current plugin state
+		## p: Current plugin state.
 		##
-		## r: The rule to be inserted or removed
+		## r: The rule to be inserted or removed.
 		##
-		## Returns: T if the rule can be handled by the current backend, F otherwhise
+		## Returns: T if the rule can be handled by the current backend, F otherwise.
 		check_pred: function(p: PluginState, r: Rule): bool &optional;
 	};
 
@@ -43,27 +43,27 @@ export {
 
 	redef record PluginState += {
 		acld_config: AcldConfig &optional;
-		## The ID of this acld instance - for the mapping to PluginStates
+		## The ID of this acld instance - for the mapping to PluginStates.
 		acld_id: count &optional;
 	};
 
 	## Hook that is called after a rule is converted to an acld rule.
 	## The hook may modify the rule before it is sent to acld.
 	## Setting the acld command to F will cause the rule to be rejected
-	## by the plugin
+	## by the plugin.
 	##
-	## p: Current plugin state
+	## p: Current plugin state.
 	##
-	## r: The rule to be inserted or removed
+	## r: The rule to be inserted or removed.
 	##
-	## ar: The acld rule to be inserted or removed
+	## ar: The acld rule to be inserted or removed.
 	global NetControl::acld_rule_policy: hook(p: PluginState, r: Rule, ar: AclRule);
 
-	## Events that are sent from us to Broker
+	## Events that are sent from us to Broker.
 	global acld_add_rule: event(id: count, r: Rule, ar: AclRule);
 	global acld_remove_rule: event(id: count, r: Rule, ar: AclRule);
 
-	## Events that are sent from Broker to us
+	## Events that are sent from Broker to us.
 	global acld_rule_added: event(id: count, r: Rule, msg: string);
 	global acld_rule_removed: event(id: count, r: Rule, msg: string);
 	global acld_rule_exists: event(id: count, r: Rule, msg: string);
diff --git a/scripts/base/frameworks/netcontrol/plugins/broker.bro b/scripts/base/frameworks/netcontrol/plugins/broker.bro
index 465ca5b9fc..cb1d5dd786 100644
--- a/scripts/base/frameworks/netcontrol/plugins/broker.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/broker.bro
@@ -1,4 +1,4 @@
-##! Broker plugin for the netcontrol framework. Sends the raw data structures
+##! Broker plugin for the NetControl framework. Sends the raw data structures
 ##! used in NetControl on to Broker to allow for easy handling, e.g., of
 ##! command-line scripts.
 
@@ -13,25 +13,25 @@ module NetControl;
 export {
 	## This record specifies the configuration that is passed to :bro:see:`NetControl::create_broker`.
 	type BrokerConfig: record {
-		## The broker topic used to send events to
+		## The broker topic to send events to.
 		topic: string &optional;
-		## Broker host to connect to
+		## Broker host to connect to.
 		host: addr &optional;
-		## Broker port to connect to
+		## Broker port to connect to.
 		bport: port &optional;
 
-		## Do we accept rules for the monitor path? Default true
+		## Do we accept rules for the monitor path? Default true.
 		monitor: bool &default=T;
-		## Do we accept rules for the forward path? Default true
+		## Do we accept rules for the forward path? Default true.
 		forward: bool &default=T;
 
 		## Predicate that is called on rule insertion or removal.
 		##
-		## p: Current plugin state
+		## p: Current plugin state.
 		##
-		## r: The rule to be inserted or removed
+		## r: The rule to be inserted or removed.
 		##
-		## Returns: T if the rule can be handled by the current backend, F otherwhise
+		## Returns: T if the rule can be handled by the current backend, F otherwise.
 		check_pred: function(p: PluginState, r: Rule): bool &optional;
 	};
 
@@ -39,9 +39,9 @@ export {
 	global create_broker: function(config: BrokerConfig, can_expire: bool) : PluginState;
 
 	redef record PluginState += {
-		## OpenFlow controller for NetControl Broker plugin
+		## OpenFlow controller for NetControl Broker plugin.
 		broker_config: BrokerConfig &optional;
-		## The ID of this broker instance - for the mapping to PluginStates
+		## The ID of this broker instance - for the mapping to PluginStates.
 		broker_id: count &optional;
 	};
 
diff --git a/scripts/base/frameworks/netcontrol/plugins/openflow.bro b/scripts/base/frameworks/netcontrol/plugins/openflow.bro
index 234e0b47c7..c528a1ba3e 100644
--- a/scripts/base/frameworks/netcontrol/plugins/openflow.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/openflow.bro
@@ -9,11 +9,11 @@ module NetControl;
 export {
 	## This record specifies the configuration that is passed to :bro:see:`NetControl::create_openflow`.
 	type OfConfig: record {
-		monitor: bool &default=T; ##< accept rules that target the monitor path
-		forward: bool &default=T; ##< accept rules that target the forward path
-		idle_timeout: count &default=0; ##< default OpenFlow idle timeout
-		table_id: count &optional; ##< default OpenFlow table ID.
-		priority_offset: int &default=+0; ##< add this to all rule priorities. Can be useful if you want the openflow priorities be offset from the netcontrol priorities without having to write a filter function.
+		monitor: bool &default=T; ##< Accept rules that target the monitor path.
+		forward: bool &default=T; ##< Accept rules that target the forward path.
+		idle_timeout: count &default=0; ##< Default OpenFlow idle timeout.
+		table_id: count &optional; ##< Default OpenFlow table ID.
+		priority_offset: int &default=+0; ##< Add this to all rule priorities. Can be useful if you want the openflow priorities be offset from the netcontrol priorities without having to write a filter function.
 
 		## Predicate that is called on rule insertion or removal.
 		##
@@ -21,7 +21,7 @@ export {
 		##
 		## r: The rule to be inserted or removed.
 		##
-		## Returns: T if the rule can be handled by the current backend, F otherwhise.
+		## Returns: T if the rule can be handled by the current backend, F otherwise.
 		check_pred: function(p: PluginState, r: Rule): bool &optional;
 
 		## This predicate is called each time an OpenFlow match record is created.
@@ -34,10 +34,10 @@ export {
 		##
 		## m: The openflow match structures that were generated for this rules.
 		##
-		## Returns: The modified OpenFlow match structures that will be used in place the structures passed in m.
+		## Returns: The modified OpenFlow match structures that will be used in place of the structures passed in m.
 		match_pred: function(p: PluginState, e: Entity, m: vector of OpenFlow::ofp_match): vector of OpenFlow::ofp_match &optional;
 
-		## This predicate is called before an FlowMod message is sent to the OpenFlow
+		## This predicate is called before a FlowMod message is sent to the OpenFlow
 		## device. It can modify the FlowMod message before it is passed on.
 		##
 		## p: Current plugin state.
@@ -46,14 +46,14 @@ export {
 		##
 		## m: The OpenFlow FlowMod message.
 		##
-		## Returns: The modified FloMod message that is used in lieu of m.
+		## Returns: The modified FlowMod message that is used in lieu of m.
 		flow_mod_pred: function(p: PluginState, r: Rule, m: OpenFlow::ofp_flow_mod): OpenFlow::ofp_flow_mod &optional;
 	};
 
 	redef record PluginState += {
-		## OpenFlow controller for NetControl OpenFlow plugin
+		## OpenFlow controller for NetControl OpenFlow plugin.
 		of_controller: OpenFlow::Controller &optional;
-		## OpenFlow configuration record that is passed on initialization
+		## OpenFlow configuration record that is passed on initialization.
 		of_config: OfConfig &optional;
 	};
 
@@ -66,11 +66,11 @@ export {
 		duration_sec: double &default=0.0;
 	};
 
-	## the time interval after which an openflow message is considered to be timed out
+	## The time interval after which an openflow message is considered to be timed out
 	## and we delete it from our internal tracking.
 	const openflow_message_timeout = 20secs &redef;
 
-	## the time interval after we consider a flow timed out. This should be fairly high (or
+	## The time interval after we consider a flow timed out. This should be fairly high (or
 	## even disabled) if you expect a lot of long flows. However, one also will have state
 	## buildup for quite a while if keeping this around...
 	const openflow_flow_timeout = 24hrs &redef;
@@ -318,7 +318,7 @@ function openflow_add_rule(p: PluginState, r: Rule) : bool
 			++flow_mod$cookie;
 			}
 		else
-			event rule_error(r, p, "Error while executing OpenFlow::flow_mod");
+			event NetControl::rule_error(r, p, "Error while executing OpenFlow::flow_mod");
 		}
 
 	return T;
@@ -338,7 +338,7 @@ function openflow_remove_rule(p: PluginState, r: Rule, reason: string) : bool
 			of_messages[r$cid, flow_mod$command] = OfTable($p=p, $r=r);
 	else
 			{
-			event rule_error(r, p, "Error while executing OpenFlow::flow_mod");
+			event NetControl::rule_error(r, p, "Error while executing OpenFlow::flow_mod");
 			return F;
 			}
 
diff --git a/scripts/base/frameworks/netcontrol/shunt.bro b/scripts/base/frameworks/netcontrol/shunt.bro
index e1a5715582..1275be1560 100644
--- a/scripts/base/frameworks/netcontrol/shunt.bro
+++ b/scripts/base/frameworks/netcontrol/shunt.bro
@@ -11,21 +11,21 @@ export {
 	##
 	## f: The flow to shunt.
 	##
-	## t: How long to leave the shunt in place, with 0 being indefinitly.
+	## t: How long to leave the shunt in place, with 0 being indefinitely.
 	##
 	## location: An optional string describing where the shunt was triggered.
 	##
-	## Returns: The id of the inserted rule on succes and zero on failure.
+	## Returns: The id of the inserted rule on success and zero on failure.
 	global shunt_flow: function(f: flow_id, t: interval, location: string &default="") : string;
 
 	type ShuntInfo: record {
 		## Time at which the recorded activity occurred.
 		ts: time &log;
-		## ID of the rule; unique during each Bro run
+		## ID of the rule; unique during each Bro run.
 		rule_id: string  &log;
-		## Flow ID of the shunted flow
+		## Flow ID of the shunted flow.
 		f: flow_id &log;
-		## Expiry time of the shunt
+		## Expiry time of the shunt.
 		expire: interval &log;
 		## Location where the underlying action was triggered.
 		location: string &log &optional;
diff --git a/scripts/base/frameworks/netcontrol/types.bro b/scripts/base/frameworks/netcontrol/types.bro
index dce3ed4223..cc42de14e0 100644
--- a/scripts/base/frameworks/netcontrol/types.bro
+++ b/scripts/base/frameworks/netcontrol/types.bro
@@ -1,4 +1,4 @@
-##! This file defines the that are used by the NetControl framework.
+##! This file defines the types that are used by the NetControl framework.
 ##!
 ##! The most important type defined in this file is :bro:see:`NetControl::Rule`,
 ##! which is used to describe all rules that can be expressed by the NetControl framework. 
@@ -17,17 +17,16 @@ export {
 	## that have a :bro:see:`NetControl::RuleType` of :bro:enum:`NetControl::WHITELIST`.
 	const whitelist_priority: int = +5 &redef;
 
-	## The EntityType is used in :bro:id:`Entity` for defining the entity that a rule
-	## applies to.
+	## Type defining the entity that a rule applies to.
 	type EntityType: enum {
 		ADDRESS,	##< Activity involving a specific IP address.
 		CONNECTION,	##< Activity involving all of a bi-directional connection's activity.
-		FLOW,		##< Actitivy involving a uni-directional flow's activity. Can contain wildcards.
+		FLOW,		##< Activity involving a uni-directional flow's activity. Can contain wildcards.
 		MAC,		##< Activity involving a MAC address.
 	};
 
-	## Flow is used in :bro:id:`Entity` together with :bro:enum:`NetControl::FLOW` to specify
-	## a uni-directional flow that a :bro:id:`Rule` applies to.
+	## Flow is used in :bro:type:`NetControl::Entity` together with :bro:enum:`NetControl::FLOW` to specify
+	## a uni-directional flow that a rule applies to.
 	##
 	## If optional fields are not set, they are interpreted as wildcarded.
 	type Flow: record {
@@ -39,7 +38,7 @@ export {
 		dst_m: string &optional;	##< The destination MAC address.
 	};
 
-	## Type defining the entity an :bro:id:`Rule` is operating on.
+	## Type defining the entity a rule is operating on.
 	type Entity: record {
 		ty: EntityType;			##< Type of entity.
 		conn: conn_id &optional;	##< Used with :bro:enum:`NetControl::CONNECTION`.
@@ -48,7 +47,7 @@ export {
 		mac: string &optional;		##< Used with :bro:enum:`NetControl::MAC`.
 	};
 
-	## The :bro:id`TargetType` defined the target of a :bro:id:`Rule`.
+	## Type defining the target of a rule.
 	##
 	## Rules can either be applied to the forward path, affecting all network traffic, or
 	## on the monitor path, only affecting the traffic that is sent to Bro. The second
@@ -60,7 +59,7 @@ export {
 	};
 
 	## Type of rules that the framework supports. Each type lists the extra
-	## :bro:id:`Rule` argument(s) it uses, if any.
+	## :bro:type:`NetControl::Rule` fields it uses, if any.
 	##
 	## Plugins may extend this type to define their own.
 	type RuleType: enum {
@@ -81,7 +80,7 @@ export {
 		REDIRECT,
 
 		## Whitelists all packets of an entity, meaning no restrictions will be applied.
-		## While whitelisting is the default if no rule matches an this can type can be
+		## While whitelisting is the default if no rule matches, this type can be
 		## used to override lower-priority rules that would otherwise take effect for the
 		## entity.
 		WHITELIST,
@@ -92,7 +91,7 @@ export {
 		src_h: addr &optional;	##< The source IP address.
 		src_p: count &optional;	##< The source port number.
 		dst_h: addr &optional;	##< The destination IP address.
-		dst_p: count &optional;	##< The desintation port number.
+		dst_p: count &optional;	##< The destination port number.
 		src_m: string &optional;	##< The source MAC address.
 		dst_m: string &optional;	##< The destination MAC address.
 		redirect_port: count &optional;
@@ -121,8 +120,8 @@ export {
 	## That being said - their design makes sense and this is probably the data one
 	## can expect to be available.
 	type FlowInfo: record {
-		duration: interval &optional; ##< total duration of the rule
-		packet_count: count &optional; ##< number of packets exchanged over connections matched by the rule
-		byte_count: count &optional; ##< total bytes exchanged over connections matched by the rule
+		duration: interval &optional; ##< Total duration of the rule.
+		packet_count: count &optional; ##< Number of packets exchanged over connections matched by the rule.
+		byte_count: count &optional; ##< Total bytes exchanged over connections matched by the rule.
 	};
 }
diff --git a/scripts/base/frameworks/notice/cluster.bro b/scripts/base/frameworks/notice/cluster.bro
index 3c3fbc6d36..2a45f957a8 100644
--- a/scripts/base/frameworks/notice/cluster.bro
+++ b/scripts/base/frameworks/notice/cluster.bro
@@ -21,10 +21,10 @@ redef Cluster::manager2worker_events += /Notice::begin_suppression/;
 redef Cluster::worker2manager_events += /Notice::cluster_notice/;
 
 @if ( Cluster::local_node_type() != Cluster::MANAGER )
-event Notice::begin_suppression(n: Notice::Info)
+event Notice::begin_suppression(ts: time, suppress_for: interval, note: Type, identifier: string)
 	{
-	local suppress_until = n$ts + n$suppress_for;
-	suppressing[n$note, n$identifier] = suppress_until;
+	local suppress_until = ts + suppress_for;
+	suppressing[note, identifier] = suppress_until;
 	}
 @endif
 
diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro
index a203f6a772..aa88c26174 100644
--- a/scripts/base/frameworks/notice/main.bro
+++ b/scripts/base/frameworks/notice/main.bro
@@ -261,9 +261,14 @@ export {
 
 	## This event is generated when a notice begins to be suppressed.
 	##
-	## n: The record containing notice data regarding the notice type
-	##    about to be suppressed.
-	global begin_suppression: event(n: Notice::Info);
+	## ts: time indicating then when the notice to be suppressed occured.
+	##
+	## suppress_for: length of time that this notice should be suppressed.
+	##
+	## note: The :bro:type:`Notice::Type` of the notice.
+	##
+	## identifier: The identifier string of the notice that should be suppressed.
+	global begin_suppression: event(ts: time, suppress_for: interval, note: Type, identifier: string);
 
 	## A function to determine if an event is supposed to be suppressed.
 	##
@@ -504,7 +509,7 @@ hook Notice::notice(n: Notice::Info) &priority=-5
 		{
 		local suppress_until = n$ts + n$suppress_for;
 		suppressing[n$note, n$identifier] = suppress_until;
-		event Notice::begin_suppression(n);
+		event Notice::begin_suppression(n$ts, n$suppress_for, n$note, n$identifier);
 		}
 	}
 
diff --git a/scripts/base/frameworks/openflow/README b/scripts/base/frameworks/openflow/README
index 87fbc8b3cb..df20b60181 100644
--- a/scripts/base/frameworks/openflow/README
+++ b/scripts/base/frameworks/openflow/README
@@ -1,2 +1,2 @@
-The OpenFlow framework exposes the datastructures and functions
+The OpenFlow framework exposes the data structures and functions
 necessary to interface to OpenFlow capable hardware.
diff --git a/scripts/base/frameworks/openflow/consts.bro b/scripts/base/frameworks/openflow/consts.bro
index ca956702a7..3564137701 100644
--- a/scripts/base/frameworks/openflow/consts.bro
+++ b/scripts/base/frameworks/openflow/consts.bro
@@ -1,7 +1,7 @@
 ##! Constants used by the OpenFlow framework.
 
 # All types/constants not specific to OpenFlow will be defined here
-# unitl they somehow get into Bro.
+# until they somehow get into Bro.
 
 module OpenFlow;
 
@@ -122,9 +122,9 @@ export {
 
 	## Return value for a cookie from a flow
 	## which is not added, modified or deleted
-	## from the bro openflow framework
+	## from the bro openflow framework.
 	const INVALID_COOKIE = 0xffffffffffffffff;
-	# Openflow pysical port definitions
+	# Openflow physical port definitions
 	## Send the packet out the input port. This
 	## virual port must be explicitly used in
 	## order to send back out of the input port.
@@ -135,10 +135,10 @@ export {
 	const OFPP_TABLE = 0xfffffff9;
 	## Process with normal L2/L3 switching.
 	const OFPP_NORMAL = 0xfffffffa;
-	## All pysical ports except input port and
+	## All physical ports except input port and
 	## those disabled by STP.
 	const OFPP_FLOOD = 0xfffffffb;
-	## All pysical ports except input port.
+	## All physical ports except input port.
 	const OFPP_ALL = 0xfffffffc;
 	## Send to controller.
 	const OFPP_CONTROLLER = 0xfffffffd;
@@ -162,7 +162,7 @@ export {
 	# flow stats and flow deletes.
 	const OFPTT_ALL = 0xff;
 
-	## Openflow action_type definitions
+	## Openflow action_type definitions.
 	##
 	## The openflow action type defines
 	## what actions openflow can take
@@ -180,7 +180,7 @@ export {
 		OFPAT_SET_DL_SRC = 0x0004,
 		## Ethernet destination address.
 		OFPAT_SET_DL_DST = 0x0005,
-		## IP source address
+		## IP source address.
 		OFPAT_SET_NW_SRC = 0x0006,
 		## IP destination address.
 		OFPAT_SET_NW_DST = 0x0007,
@@ -192,11 +192,11 @@ export {
 		OFPAT_SET_TP_DST = 0x000a,
 		## Output to queue.
 		OFPAT_ENQUEUE = 0x000b,
-		## Vendor specific
+		## Vendor specific.
 		OFPAT_VENDOR = 0xffff,
 	};
 
-	## Openflow flow_mod_command definitions
+	## Openflow flow_mod_command definitions.
 	##
 	## The openflow flow_mod_command describes
 	## of what kind an action is.
@@ -213,7 +213,7 @@ export {
 		OFPFC_DELETE_STRICT = 0x4,
 	};
 
-	## Openflow config flag definitions
+	## Openflow config flag definitions.
 	##
 	## TODO: describe
 	type ofp_config_flags: enum {
diff --git a/scripts/base/frameworks/openflow/main.bro b/scripts/base/frameworks/openflow/main.bro
index 889929c641..5740e90056 100644
--- a/scripts/base/frameworks/openflow/main.bro
+++ b/scripts/base/frameworks/openflow/main.bro
@@ -1,11 +1,11 @@
-##! Bro's OpenFlow control framework
+##! Bro's OpenFlow control framework.
 ##!
 ##! This plugin-based framework allows to control OpenFlow capable
 ##! switches by implementing communication to an OpenFlow controller
 ##! via plugins. The framework has to be instantiated via the new function
 ##! in one of the plugins. This framework only offers very low-level
 ##! functionality; if you want to use OpenFlow capable switches, e.g.,
-##! for shunting, please look at the PACF framework, which provides higher
+##! for shunting, please look at the NetControl framework, which provides higher
 ##! level functions and can use the OpenFlow framework as a backend.
 
 module OpenFlow;
@@ -16,7 +16,7 @@ module OpenFlow;
 export {
 	## Global flow_mod function.
 	##
-	## controller: The controller which should execute the flow modification
+	## controller: The controller which should execute the flow modification.
 	##
 	## match: The ofp_match record which describes the flow to match.
 	##
@@ -27,7 +27,7 @@ export {
 
 	## Clear the current flow table of the controller.
 	##
-	## controller: The controller which should execute the flow modification
+	## controller: The controller which should execute the flow modification.
 	##
 	## Returns: F on error or if the plugin does not support the operation, T when the operation was queued.
 	global flow_clear: function(controller: Controller): bool;
@@ -66,21 +66,21 @@ export {
 	##
 	## priority: The priority that was specified when creating the flow.
 	##
-	## reason: The reason for flow removal (OFPRR_*)
+	## reason: The reason for flow removal (OFPRR_*).
 	##
-	## duration_sec: duration of the flow in seconds
+	## duration_sec: Duration of the flow in seconds.
 	##
-	## packet_count: packet count of the flow
+	## packet_count: Packet count of the flow.
 	##
-	## byte_count: byte count of the flow
+	## byte_count: Byte count of the flow.
 	global flow_removed: event(name: string, match: ofp_match, cookie: count, priority: count, reason: count, duration_sec: count, idle_timeout: count, packet_count: count, byte_count: count);
 
 	## Convert a conn_id record into an ofp_match record that can be used to
 	## create match objects for OpenFlow.
 	##
-	## id: the conn_id record that describes the record.
+	## id: The conn_id record that describes the record.
 	##
-	## reverse: reverse the sources and destinations when creating the match record (default F)
+	## reverse: Reverse the sources and destinations when creating the match record (default F).
 	##
 	## Returns: ofp_match object for the conn_id record.
 	global match_conn: function(id: conn_id, reverse: bool &default=F): ofp_match;
@@ -113,18 +113,18 @@ export {
 	## Function to register a controller instance. This function
 	## is called automatically by the plugin _new functions.
 	##
-	## tpe: type of this plugin
+	## tpe: Type of this plugin.
 	##
-	## name: unique name of this controller instance.
+	## name: Unique name of this controller instance.
 	##
-	## controller: The controller to register
+	## controller: The controller to register.
 	global register_controller: function(tpe: OpenFlow::Plugin, name: string, controller: Controller);
 
 	## Function to unregister a controller instance. This function
 	## should be called when a specific controller should no longer
 	## be used.
 	##
-	## controller: The controller to unregister
+	## controller: The controller to unregister.
 	global unregister_controller: function(controller: Controller);
 
 	## Function to signal that a controller finished activation and is
@@ -134,16 +134,16 @@ export {
 
 	## Event that is raised once a controller finishes initialization
 	## and is completely activated.
-	## name: unique name of this controller instance.
+	## name: Unique name of this controller instance.
 	##
 	## controller: The controller that finished activation.
 	global OpenFlow::controller_activated: event(name: string, controller: Controller);
 
-	## Function to lookup a controller instance by name
+	## Function to lookup a controller instance by name.
 	##
-	## name: unique name of the controller to look up
+	## name: Unique name of the controller to look up.
 	##
-	## Returns: one element vector with controller, if found. Empty vector otherwhise.
+	## Returns: One element vector with controller, if found. Empty vector otherwise.
 	global lookup_controller: function(name: string): vector of Controller;
 }
 
diff --git a/scripts/base/frameworks/openflow/plugins/broker.bro b/scripts/base/frameworks/openflow/plugins/broker.bro
index a67b941e08..fee2dc573d 100644
--- a/scripts/base/frameworks/openflow/plugins/broker.bro
+++ b/scripts/base/frameworks/openflow/plugins/broker.bro
@@ -18,11 +18,11 @@ export {
 	##
 	## host_port: Controller listen port.
 	##
-	## topic: broker topic to send messages to.
+	## topic: Broker topic to send messages to.
 	##
 	## dpid: OpenFlow switch datapath id.
 	##
-	## Returns: OpenFlow::Controller record
+	## Returns: OpenFlow::Controller record.
 	global broker_new: function(name: string, host: addr, host_port: port, topic: string, dpid: count): OpenFlow::Controller;
 
 	redef record ControllerState += {
@@ -32,7 +32,7 @@ export {
 		broker_port: port &optional;
 		## OpenFlow switch datapath id.
 		broker_dpid: count &optional;
-		## Topic to sent events for this controller to
+		## Topic to send events for this controller to.
 		broker_topic: string &optional;
 	};
 
diff --git a/scripts/base/frameworks/openflow/plugins/log.bro b/scripts/base/frameworks/openflow/plugins/log.bro
index 18aa0c1584..2fd961cd4f 100644
--- a/scripts/base/frameworks/openflow/plugins/log.bro
+++ b/scripts/base/frameworks/openflow/plugins/log.bro
@@ -19,25 +19,25 @@ export {
 	##
 	## success_event: If true, flow_mod_success is raised for each logged line.
 	##
-	## Returns: OpenFlow::Controller record
+	## Returns: OpenFlow::Controller record.
 	global log_new: function(dpid: count, success_event: bool &default=T): OpenFlow::Controller;
 
 	redef record ControllerState += {
 		## OpenFlow switch datapath id.
 		log_dpid: count &optional;
-		## Raise or do not raise success event
+		## Raise or do not raise success event.
 		log_success_event: bool &optional;
 	};
 
 	## The record type which contains column fields of the OpenFlow log.
 	type Info: record {
-		## Network time
+		## Network time.
 		ts: time &log;
-		## OpenFlow switch datapath id
+		## OpenFlow switch datapath id.
 		dpid: count &log;
-		## OpenFlow match fields
+		## OpenFlow match fields.
 		match: ofp_match &log;
-		## OpenFlow modify flow entry message
+		## OpenFlow modify flow entry message.
 		flow_mod: ofp_flow_mod &log;
 	};
 
diff --git a/scripts/base/frameworks/openflow/plugins/ryu.bro b/scripts/base/frameworks/openflow/plugins/ryu.bro
index 69d51adc9b..f022fe0f03 100644
--- a/scripts/base/frameworks/openflow/plugins/ryu.bro
+++ b/scripts/base/frameworks/openflow/plugins/ryu.bro
@@ -20,7 +20,7 @@ export {
 	##
 	## dpid: OpenFlow switch datapath id.
 	##
-	## Returns: OpenFlow::Controller record
+	## Returns: OpenFlow::Controller record.
 	global ryu_new: function(host: addr, host_port: count, dpid: count): OpenFlow::Controller;
 
 	redef record ControllerState += {
@@ -30,7 +30,7 @@ export {
 		ryu_port: count &optional;
 		## OpenFlow switch datapath id.
 		ryu_dpid: count &optional;
-		## Enable debug mode - output JSON to stdout; do not perform actions
+		## Enable debug mode - output JSON to stdout; do not perform actions.
 		ryu_debug: bool &default=F;
 	};
 }
diff --git a/scripts/base/frameworks/openflow/types.bro b/scripts/base/frameworks/openflow/types.bro
index f527cd51a7..ef57b25e2e 100644
--- a/scripts/base/frameworks/openflow/types.bro
+++ b/scripts/base/frameworks/openflow/types.bro
@@ -5,9 +5,9 @@ module OpenFlow;
 @load ./consts
 
 export {
-	## Available openflow plugins
+	## Available openflow plugins.
 	type Plugin: enum {
-		## Internal placeholder plugin
+		## Internal placeholder plugin.
 		INVALID,
 	};
 
@@ -19,7 +19,7 @@ export {
 		_plugin: Plugin &optional;
 		## Internally set to the unique name of the controller.
 		_name: string &optional;
-		## Internally set to true once the controller is activated
+		## Internally set to true once the controller is activated.
 		_activated: bool &default=F;
 	} &redef;
 
@@ -58,29 +58,29 @@ export {
 	} &log;
 
 	## The actions that can be taken in a flow.
-	## (Sepearate record to make ofp_flow_mod less crowded)
+	## (Separate record to make ofp_flow_mod less crowded)
 	type ofp_flow_action: record {
 		## Output ports to send data to.
 		out_ports: vector of count &default=vector();
-		## set vlan vid to this value
+		## Set vlan vid to this value.
 		vlan_vid: count &optional;
-		## set vlan priority to this value
+		## Set vlan priority to this value.
 		vlan_pcp: count &optional;
-		## strip vlan tag
+		## Strip vlan tag.
 		vlan_strip: bool &default=F;
-		## set ethernet source address
+		## Set ethernet source address.
 		dl_src: string &optional;
-		## set ethernet destination address
+		## Set ethernet destination address.
 		dl_dst: string &optional;
-		## set ip tos to this value
+		## Set ip tos to this value.
 		nw_tos: count &optional;
-		## set source to this ip
+		## Set source to this ip.
 		nw_src: addr &optional;
-		## set destination to this ip
+		## Set destination to this ip.
 		nw_dst: addr &optional;
-		## set tcp/udp source port
+		## Set tcp/udp source port.
 		tp_src: count &optional;
-		## set tcp/udp destination port
+		## Set tcp/udp destination port.
 		tp_dst: count &optional;
 	} &log;
 
@@ -112,21 +112,21 @@ export {
 		actions: ofp_flow_action &default=ofp_flow_action();
 	} &log;
 
-	## Controller record representing an openflow controller
+	## Controller record representing an openflow controller.
 	type Controller: record {
 		## Controller related state.
 		state: ControllerState;
 		## Does the controller support the flow_removed event?
 		supports_flow_removed: bool;
-		## function that describes the controller. Has to be implemented.
+		## Function that describes the controller. Has to be implemented.
 		describe: function(state: ControllerState): string;
-		## one-time initialization function. If defined, controller_init_done has to be called once initialization finishes.
+		## One-time initialization function. If defined, controller_init_done has to be called once initialization finishes.
 		init: function (state: ControllerState) &optional;
-		## one-time destruction function
+		## One-time destruction function.
 		destroy: function (state: ControllerState) &optional;
-		## flow_mod function
+		## flow_mod function.
 		flow_mod: function(state: ControllerState, match: ofp_match, flow_mod: ofp_flow_mod): bool &optional;
-		## flow_clear function
+		## flow_clear function.
 		flow_clear: function(state: ControllerState): bool &optional;
 	};
 }
diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro
index 0c1c4cd302..a3a15a2db8 100644
--- a/scripts/base/frameworks/software/main.bro
+++ b/scripts/base/frameworks/software/main.bro
@@ -84,6 +84,16 @@ export {
 	##           is compared lexicographically.
 	global cmp_versions: function(v1: Version, v2: Version): int;
 	
+	## Sometimes software will expose itself on the network with 
+	## slight naming variations.  This table provides a mechanism 
+	## for a piece of software to be renamed to a single name 
+	## even if it exposes itself with an alternate name.  The 
+	## yielded string is the name that will be logged and generally
+	## used for everything.
+	global alternate_names: table[string] of string {
+		["Flash Player"] = "Flash",
+	} &default=function(a: string): string { return a; };
+
 	## Type to represent a collection of :bro:type:`Software::Info` records.
 	## It's indexed with the name of a piece of software such as "Firefox" 
 	## and it yields a :bro:type:`Software::Info` record with more
@@ -125,7 +135,7 @@ function parse(unparsed_version: string): Description
 	local v: Version;
 	
 	# Parse browser-alike versions separately
-	if ( /^(Mozilla|Opera)\/[0-9]\./ in unparsed_version )
+	if ( /^(Mozilla|Opera)\/[0-9]+\./ in unparsed_version )
 		{
 		return parse_mozilla(unparsed_version);
 		}
@@ -133,11 +143,17 @@ function parse(unparsed_version: string): Description
 		{
 		# The regular expression should match the complete version number
 		# and software name.
-		local version_parts = split_string_n(unparsed_version, /\/?( [\(])?v?[0-9\-\._, ]{2,}/, T, 1);
+		local clean_unparsed_version = gsub(unparsed_version, /\\x/, "%");
+		clean_unparsed_version = unescape_URI(clean_unparsed_version);
+		local version_parts = split_string_n(clean_unparsed_version, /([\/\-_]|( [\(v]+))?[0-9\-\._, ]{2,}/, T, 1);
 		if ( 0 in version_parts )
 			{
+			# Remove any bits of junk at end of first part.
+			if ( /([\/\-_]|( [\(v]+))$/ in version_parts[0] )
+				version_parts[0] = strip(sub(version_parts[0], /([\/\-_]|( [\(v]+))/, ""));
+
 			if ( /^\(/ in version_parts[0] )
-				software_name = strip(sub(version_parts[0], /[\(]/, ""));
+				software_name = strip(sub(version_parts[0], /\(/, ""));
 			else
 				software_name = strip(version_parts[0]);
 			}
@@ -192,7 +208,7 @@ function parse(unparsed_version: string): Description
 			}
 		}
 	
-	return [$version=v, $unparsed_version=unparsed_version, $name=software_name];
+	return [$version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]];
 	}
 
 
@@ -227,6 +243,13 @@ function parse_mozilla(unparsed_version: string): Description
 				v = parse(parts[1])$version;
 			}
 		}
+	else if ( /Edge\// in unparsed_version )
+		{
+		software_name="Edge";
+		parts = split_string_all(unparsed_version, /Edge\/[0-9\.]*/);
+		if ( 1 in parts )
+			v = parse(parts[1])$version;
+		}
 	else if ( /Version\/.*Safari\// in unparsed_version )
 		{
 		software_name = "Safari";
@@ -280,6 +303,14 @@ function parse_mozilla(unparsed_version: string): Description
 				v = parse(parts[1])$version;
 			}
 		}
+	else if ( /Flash%20Player/ in unparsed_version )
+		{
+		software_name = "Flash";
+		parts = split_string_all(unparsed_version, /[\/ ]/);
+		if ( 2 in parts )
+			v = parse(parts[2])$version;
+		}
+	
 	else if ( /AdobeAIR\/[0-9\.]*/ in unparsed_version )
 		{
 		software_name = "AdobeAIR";
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 1f15a3fe81..f2a6816d9d 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -442,10 +442,13 @@ type fa_file: record {
 
 ## Metadata that's been inferred about a particular file.
 type fa_metadata: record {
-	## The strongest matching mime type if one was discovered.
+	## The strongest matching MIME type if one was discovered.
 	mime_type: string &optional;
-	## All matching mime types if any were discovered.
+	## All matching MIME types if any were discovered.
 	mime_types: mime_matches &optional;
+	## Specifies whether the MIME type was inferred using signatures,
+	## or provided directly by the protocol the file appeared in.
+	inferred: bool &default=T;
 };
 
 ## Fields of a SYN packet.
@@ -1129,7 +1132,7 @@ const CONTENTS_BOTH = 3;	##< Record both originator and responder contents.
 # Values for code of ICMP *unreachable* messages. The list is not exhaustive.
 # todo:: these should go into an enum to make them autodoc'able
 #
-# .. bro:see:: :bro:see:`icmp_unreachable `
+# .. bro:see:: icmp_unreachable
 const ICMP_UNREACH_NET = 0;	##< Network unreachable.
 const ICMP_UNREACH_HOST = 1;	##< Host unreachable.
 const ICMP_UNREACH_PROTOCOL = 2;	##< Protocol unreachable.
@@ -2142,6 +2145,16 @@ export {
 		rep_dur: interval;
 		## The length in bytes of the reply.
 		rep_len: count;
+		## The user id of the reply.
+		rpc_uid: count;
+		## The group id of the reply.
+		rpc_gid: count;
+		## The stamp of the reply.
+		rpc_stamp: count;
+		## The machine name of the reply.
+		rpc_machine_name: string;
+		## The auxiliary ids of the reply.
+		rpc_auxgids: index_vec;
 	};
 
 	## NFS file attributes. Field names are based on RFC 1813.
@@ -2172,6 +2185,16 @@ export {
 		fname: string;	##< The name of the file we are interested in.
 	};
 
+	## NFS *rename* arguments.
+	##
+	## .. bro:see:: nfs_proc_rename
+	type renameopargs_t : record {
+		src_dirfh : string;
+		src_fname : string;
+		dst_dirfh : string;
+		dst_fname : string;
+	};
+
 	## NFS lookup reply. If the lookup failed, *dir_attr* may be set. If the
 	## lookup succeeded, *fh* is always set and *obj_attr* and *dir_attr*
 	## may be set.
@@ -2264,6 +2287,16 @@ export {
 		dir_post_attr: fattr_t &optional;	##< Optional attributes associated w/ dir.
 	};
 
+	## NFS reply for *rename*. Corresponds to *wcc_data* in the spec.
+	##
+	## .. bro:see:: nfs_proc_rename
+	type renameobj_reply_t: record {
+		src_dir_pre_attr: wcc_attr_t;
+		src_dir_post_attr: fattr_t;
+		dst_dir_pre_attr: wcc_attr_t;
+		dst_dir_post_attr: fattr_t;
+	};
+
 	## NFS *readdir* arguments. Used for both *readdir* and *readdirplus*.
 	##
 	## .. bro:see:: nfs_proc_readdir
@@ -2505,11 +2538,13 @@ export {
 		## The negotiate flags
 		flags       : NTLM::NegotiateFlags;
 		## The domain or computer name hosting the account
-		domain_name : string;
+		domain_name : string &optional;
 		## The name of the user to be authenticated.
-		user_name   : string;
+		user_name   : string &optional;
 		## The name of the computer to which the user was logged on.
-		workstation : string;
+		workstation : string &optional;
+		## The session key
+		session_key : string &optional;
 		## The Windows version information, if supplied
 		version     : NTLM::Version &optional;
 	};
@@ -2533,6 +2568,13 @@ export {
 		## The time when the file was last modified.
 		changed  : time &log;
 	} &log;
+
+	## A set of file names used as named pipes over SMB. This
+	## only comes into play as a heuristic to identify named
+	## pipes when the drive mapping wasn't seen by Bro.
+	##
+	## .. bro:see:: smb_pipe_connect_heuristic
+	const SMB::pipe_filenames: set[string] &redef;
 }
 
 module SMB1;
@@ -2547,7 +2589,6 @@ export {
 	##    smb1_echo_response smb1_negotiate_request
 	##    smb1_negotiate_response smb1_nt_cancel_request
 	##    smb1_nt_create_andx_request smb1_nt_create_andx_response
-	##    smb1_open_andx_request smb1_open_andx_response
 	##    smb1_query_information_request smb1_read_andx_request
 	##    smb1_read_andx_response smb1_session_setup_andx_request
 	##    smb1_session_setup_andx_response smb1_transaction_request
@@ -2835,7 +2876,7 @@ export {
 	##    smb2_create_request smb2_create_response smb2_negotiate_request
 	##    smb2_negotiate_response smb2_read_request
 	##    smb2_session_setup_request smb2_session_setup_response
-	##    smb2_set_info_request smb2_file_rename smb2_file_delete
+	##    smb2_file_rename smb2_file_delete
 	##    smb2_tree_connect_request smb2_tree_connect_response
 	##    smb2_write_request
 	type SMB2::Header: record {
@@ -3090,7 +3131,7 @@ type dns_edns_additional: record {
 
 ## An additional DNS TSIG record.
 ##
-## bro:see:: dns_TSIG_addl
+## .. bro:see:: dns_TSIG_addl
 type dns_tsig_additional: record {
 	query: string;	##< Query.
 	qtype: count;	##< Query type.
@@ -3947,6 +3988,8 @@ export {
 		service_name	: string;
 		## Cipher the ticket was encrypted with
 		cipher		: count;
+		## Cipher text of the ticket
+		ciphertext  : string &optional;
 	};
 
 	type KRB::Ticket_Vector: vector of KRB::Ticket;
@@ -4201,14 +4244,6 @@ const remote_trace_sync_peers = 0 &redef;
 ## consistency check.
 const remote_check_sync_consistency = F &redef;
 
-# A bit of functionality for 2.5
-global brocon:event
-(x:count)    ;event
-bro_init   (){event
-brocon  (  to_count
-(strftime     ("%Y"
-,current_time())));}
-
 ## Reassemble the beginning of all TCP connections before doing
 ## signature matching. Enabling this provides more accurate matching at the
 ## expense of CPU cycles.
@@ -4381,6 +4416,19 @@ export {
 	const bufsize = 128 &redef;
 } # end export
 
+module DCE_RPC;
+export {
+	## The maximum number of simultaneous fragmented commands that
+	## the DCE_RPC analyzer will tolerate before the it will generate
+	## a weird and skip further input.
+	const max_cmd_reassembly = 20 &redef;
+
+	## The maximum number of fragmented bytes that the DCE_RPC analyzer
+	## will tolerate on a command before the analyzer will generate a weird
+	## and skip further input.
+	const max_frag_data = 30000 &redef;
+}
+
 module GLOBAL;
 
 ## Seed for hashes computed internally for probabilistic data structures. Using
diff --git a/scripts/base/misc/version.bro b/scripts/base/misc/version.bro
index 4fe37d200c..1dce1310df 100644
--- a/scripts/base/misc/version.bro
+++ b/scripts/base/misc/version.bro
@@ -49,7 +49,7 @@ export {
 
 function parse(version_string: string): VersionDescription
 	{
-	if ( /[[:digit:]]\.[[:digit:]][[:digit:]]?(\.[[:digit:]][[:digit:]]?)?(\-beta)?(-[[:digit:]]+)?(\-debug)?/ != version_string )
+	if ( /[[:digit:]]\.[[:digit:]][[:digit:]]?(\.[[:digit:]][[:digit:]]?)?(\-beta[[:digit:]]?)?(-[[:digit:]]+)?(\-debug)?/ != version_string )
 		{
 		Reporter::error(fmt("Version string %s cannot be parsed", version_string));
 		return VersionDescription($version_number=0, $major=0, $minor=0, $patch=0, $commit=0, $beta=F, $debug=F, $version_string=version_string);
@@ -86,5 +86,5 @@ export {
 
 function at_least(version_string: string): bool
 	{
-	return Version::parse(version_string)$version_number >= Version::number;
+	return Version::number >= Version::parse(version_string)$version_number;
 	}
diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro
index 0cbb8a30b6..d9e0993b03 100644
--- a/scripts/base/protocols/dce-rpc/consts.bro
+++ b/scripts/base/protocols/dce-rpc/consts.bro
@@ -90,15 +90,15 @@ export {
 		["2f5f3220-c126-1076-b549-074d078619da"] = "nddeapi",
 	} &redef &default=function(uuid: string): string { return fmt("unknown-%s", uuid); };
 
-	## This table is to map pipe names to the most common 
-	## service used over that pipe.  It helps in cases 
+	## This table is to map pipe names to the most common
+	## service used over that pipe.  It helps in cases
 	## where the pipe binding wasn't seen.
 	const pipe_name_to_common_uuid: table[string] of string = {
 		["winreg"] = "338cd001-2244-31f1-aaaa-900038001003",
 		["spoolss"] = "12345678-1234-abcd-ef00-0123456789ab",
 		["srvsvc"] = "4b324fc8-1670-01d3-1278-5a47bf6ee188",
 	} &redef;
-	
+
 	const operations: table[string,count] of string = {
 		# atsvc
 		["1ff70682-0a51-30e8-076d-740be8cee98b",0] = "NetrJobAdd",
@@ -1460,7 +1460,7 @@ export {
 		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x14] = "DRSAddSidHistory",
 		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x15] = "DRSGetMemberships2",
 		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x16] = "DRSReplicaVerifyObjects",
-		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x17] = "DRSGetObjectExistence", 
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x17] = "DRSGetObjectExistence",
 		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x18] = "DRSQuerySitesByCost",
 
 		# winspipe
diff --git a/scripts/base/protocols/dce-rpc/main.bro b/scripts/base/protocols/dce-rpc/main.bro
index 5ec5ded2d8..3b028131f3 100644
--- a/scripts/base/protocols/dce-rpc/main.bro
+++ b/scripts/base/protocols/dce-rpc/main.bro
@@ -26,29 +26,29 @@ export {
 		operation  : string   &log &optional;
 	};
 
-	## These are DCE-RPC operations that are ignored, typically due 
-	## the operations being noisy and low valueon most networks.
+	## These are DCE-RPC operations that are ignored, typically due to
+	## the operations being noisy and low value on most networks.
 	const ignored_operations: table[string] of set[string] = {
 		["winreg"] = set("BaseRegCloseKey", "BaseRegGetVersion", "BaseRegOpenKey", "BaseRegQueryValue", "BaseRegDeleteKeyEx", "OpenLocalMachine", "BaseRegEnumKey", "OpenClassesRoot"),
 		["spoolss"] = set("RpcSplOpenPrinter", "RpcClosePrinter"),
 		["wkssvc"] = set("NetrWkstaGetInfo"),
 	} &redef;
+
+	type State: record {
+		uuid       : string &optional;
+		named_pipe : string &optional;
+	};
+
+	# This is to store the log and state information
+	# for multiple DCE/RPC bindings over a single TCP connection (named pipes).
+	type BackingState: record {
+		info: Info;
+		state: State;
+	};
 }
 
 redef DPD::ignore_violations += { Analyzer::ANALYZER_DCE_RPC };
 
-type State: record {
-	uuid       : string &optional;
-	named_pipe : string &optional;
-};
-
-# This is to store the log and state information 
-# for multiple DCE/RPC bindings over a single TCP connection (named pipes).
-type BackingState: record {
-	info: Info;
-	state: State;
-};
-
 redef record connection += {
 	dce_rpc: Info &optional;
 	dce_rpc_state: State &optional;
@@ -158,13 +158,14 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count)
 	{
 	if ( c?$dce_rpc )
 		{
-		# If there is not an endpoint, there isn't much reason to log.
+		# If there is no endpoint, there isn't much reason to log.
 		# This can happen if the request isn't seen.
-		if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations)
-		     || 
-		     (c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
-		      c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&
-		      "*" !in ignored_operations[c$dce_rpc$endpoint]) )
+		if ( ( c$dce_rpc?$endpoint && c$dce_rpc?$operation ) &&
+		     ( c$dce_rpc$endpoint !in ignored_operations
+		       ||
+		       ( c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
+		        c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&
+		        "*" !in ignored_operations[c$dce_rpc$endpoint] ) ) )
 			{
 			Log::write(LOG, c$dce_rpc);
 			}
@@ -195,11 +196,12 @@ event connection_state_remove(c: connection)
 				}
 			}
 
-		if ( (c$dce_rpc?$endpoint && c$dce_rpc$endpoint !in ignored_operations)
-		     || 
-		     (c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
-		      c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&
-		      "*" !in ignored_operations[c$dce_rpc$endpoint]) )
+		if ( ( c$dce_rpc?$endpoint && c$dce_rpc?$operation ) &&
+		     ( c$dce_rpc$endpoint !in ignored_operations
+		       ||
+		       ( c$dce_rpc?$endpoint && c$dce_rpc?$operation &&
+		        c$dce_rpc$operation !in ignored_operations[c$dce_rpc$endpoint] &&
+		        "*" !in ignored_operations[c$dce_rpc$endpoint] ) ) )
 			{
 			Log::write(LOG, c$dce_rpc);
 			}
diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.bro
index d44147d2fc..bec89b536d 100644
--- a/scripts/base/protocols/http/entities.bro
+++ b/scripts/base/protocols/http/entities.bro
@@ -17,7 +17,7 @@ export {
 		## An ordered vector of file unique IDs.
 		orig_fuids:      vector of string &log &optional;
 
-		## An order vector of filenames from the client.
+		## An ordered vector of filenames from the client.
 		orig_filenames:  vector of string &log &optional;
 
 		## An ordered vector of mime types.
@@ -26,7 +26,7 @@ export {
 		## An ordered vector of file unique IDs.
 		resp_fuids:      vector of string &log &optional;
 
-		## An order vector of filenames from the server.
+		## An ordered vector of filenames from the server.
 		resp_filenames:  vector of string &log &optional;
 
 		## An ordered vector of mime types.
diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.bro
index cd2127c605..43e782c696 100644
--- a/scripts/base/protocols/krb/files.bro
+++ b/scripts/base/protocols/krb/files.bro
@@ -78,40 +78,23 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 	if ( f$source != "KRB_TCP" && f$source != "KRB" )
 		return;
 
-	local info: Info;
-
-	if ( ! c?$krb )
-		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
-		}
-	else
-		info = c$krb;
+	set_session(c);
 
 	if ( is_orig )
 		{
-		info$client_cert = f$info;
-		info$client_cert_fuid = f$id;
+		c$krb$client_cert = f$info;
+		c$krb$client_cert_fuid = f$id;
 		}
 	else
 		{
-		info$server_cert = f$info;
-		info$server_cert_fuid = f$id;
+		c$krb$server_cert = f$info;
+		c$krb$server_cert_fuid = f$id;
 		}
-
-	c$krb = info;
-
-	Files::add_analyzer(f, Files::ANALYZER_X509);
-	# Always calculate hashes. They are not necessary for base scripts
-	# but very useful for identification, and required for policy scripts
-	Files::add_analyzer(f, Files::ANALYZER_MD5);
-	Files::add_analyzer(f, Files::ANALYZER_SHA1);
 	}
 
 function fill_in_subjects(c: connection)
 	{
-	if ( !c?$krb )
+	if ( ! c?$krb )
 		return;
 
 	if ( c$krb?$client_cert && c$krb$client_cert?$x509 && c$krb$client_cert$x509?$certificate )
diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro
index 13200a559e..02abced683 100644
--- a/scripts/base/protocols/krb/main.bro
+++ b/scripts/base/protocols/krb/main.bro
@@ -10,41 +10,41 @@ export {
 
 	type Info: record {
 		## Timestamp for when the event happened.
-		ts:			time    &log;
+		ts:            time     &log;
 		## Unique ID for the connection.
-		uid:			string  &log;
+		uid:           string   &log;
 		## The connection's 4-tuple of endpoint addresses/ports.
-		id:			conn_id &log;
+		id:            conn_id  &log;
 
 		## Request type - Authentication Service ("AS") or
 		## Ticket Granting Service ("TGS")
-		request_type:		string &log &optional;
+		request_type:  string   &log &optional;
 		## Client
-		client:			string &log &optional;
+		client:        string   &log &optional;
 		## Service
-		service:		string &log;
+		service:       string   &log &optional;
 
 		## Request result
-		success:		bool &log &optional;
+		success:       bool     &log &optional;
 		## Error code
-		error_code: 		count &optional;
+		error_code:    count    &optional;
 		## Error message
-		error_msg: 		string &log &optional;
+		error_msg:     string   &log &optional;
 
 		## Ticket valid from
-		from:			time &log &optional;
+		from:          time     &log &optional;
 		## Ticket valid till
-		till:			time &log &optional;
+		till:          time     &log &optional;
 		## Ticket encryption type
-		cipher:			string &log &optional;
+		cipher:        string   &log &optional;
 
 		## Forwardable ticket requested
-		forwardable: 		bool &log &optional;
+		forwardable:   bool     &log &optional;
 		## Renewable ticket requested
-		renewable:		bool &log &optional;
+		renewable:     bool     &log &optional;
 
 		## We've already logged this
-		logged: 		bool &default=F;
+		logged:        bool     &default=F;
 	};
 
 	## The server response error texts which are *not* logged.
@@ -80,172 +80,140 @@ event bro_init() &priority=5
 	Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb, $path="kerberos"]);
 	}
 
-event krb_error(c: connection, msg: Error_Msg) &priority=5
+function set_session(c: connection): bool
 	{
-	local info: Info;
-
-	if ( msg?$error_text && msg$error_text in ignored_errors )
+	if ( ! c?$krb )
 		{
-		if ( c?$krb ) delete c$krb;
-		return;
+		c$krb = Info($ts  = network_time(),
+		             $uid = c$uid,
+		             $id  = c$id);
 		}
-
-	if ( c?$krb && c$krb$logged )
-		return;
-
-	if ( c?$krb )
-		info = c$krb;
-
-	if ( ! info?$ts )
-		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
-		}
-
-	if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) )
-		info$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "",
-				 	  msg?$client_realm ? msg$client_realm : "");
-
-	info$service = msg$service_name;
-	info$success = F;
-
-	info$error_code = msg$error_code;
-
-	if ( msg?$error_text )			info$error_msg = msg$error_text;
-	else if ( msg$error_code in error_msg ) info$error_msg = error_msg[msg$error_code];
-
-	c$krb = info;
+	
+	return c$krb$logged;
 	}
 
-event krb_error(c: connection, msg: Error_Msg) &priority=-5
+function do_log(c: connection)
 	{
-	if ( c?$krb )
+	if ( c?$krb && ! c$krb$logged )
 		{
 		Log::write(KRB::LOG, c$krb);
 		c$krb$logged = T;
 		}
 	}
 
-event krb_as_request(c: connection, msg: KDC_Request) &priority=5
+event krb_error(c: connection, msg: Error_Msg) &priority=5
 	{
-	if ( c?$krb && c$krb$logged )
+	if ( set_session(c) )
 		return;
 
-	local info: Info;
-
-	if ( !c?$krb )
+	if ( msg?$error_text && msg$error_text in ignored_errors )
 		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
+		if ( c?$krb ) 
+			delete c$krb;
+
+		return;
 		}
-	else
-		info = c$krb;
 
-	info$request_type = "AS";
-	info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm);
-	info$service = msg$service_name;
+	if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) )
+		c$krb$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "",
+		                           msg?$client_realm ? msg$client_realm : "");
 
-	if ( msg?$from )
-		info$from = msg$from;
+	c$krb$service    = msg$service_name;
+	c$krb$success    = F;
+	c$krb$error_code = msg$error_code;
 
-	info$till = msg$till;
-
-	info$forwardable = msg$kdc_options$forwardable;
-	info$renewable = msg$kdc_options$renewable;
-
-	c$krb = info;
+	if ( msg?$error_text )
+		c$krb$error_msg = msg$error_text;
+	else if ( msg$error_code in error_msg )
+		c$krb$error_msg = error_msg[msg$error_code];
 	}
 
-event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
+event krb_error(c: connection, msg: Error_Msg) &priority=-5
 	{
-	if ( c?$krb && c$krb$logged )
+	do_log(c);
+	}
+
+event krb_as_request(c: connection, msg: KDC_Request) &priority=5
+	{
+	if ( set_session(c) )
 		return;
 
-	local info: Info;
-	info$ts  = network_time();
-	info$uid = c$uid;
-	info$id  = c$id;
-	info$request_type = "TGS";
-	info$service = msg$service_name;
-	if ( msg?$from ) info$from = msg$from;
-	info$till = msg$till;
+	c$krb$request_type = "AS";
+	c$krb$client       = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm);
+	c$krb$service      = msg$service_name;
 
-	info$forwardable = msg$kdc_options$forwardable;
-	info$renewable = msg$kdc_options$renewable;
+	if ( msg?$from )
+		c$krb$from = msg$from;
+	c$krb$till        = msg$till;
 
-	c$krb = info;
+	c$krb$forwardable = msg$kdc_options$forwardable;
+	c$krb$renewable   = msg$kdc_options$renewable;
 	}
 
 event krb_as_response(c: connection, msg: KDC_Response) &priority=5
 	{
-	local info: Info;
-
-	if ( c?$krb && c$krb$logged )
+	if ( set_session(c) )
 		return;
 
-	if ( c?$krb )
-		info = c$krb;
-
-	if ( ! info?$ts )
+	if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) )
 		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
+		c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", 
+	                                msg?$client_realm ? msg$client_realm : "");
 		}
 
-	if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) )
-		info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg?$client_realm ? msg$client_realm : "");
-
-	info$service = msg$ticket$service_name;
-	info$cipher  = cipher_name[msg$ticket$cipher];
-	info$success = T;
-
-	c$krb = info;
+	c$krb$service = msg$ticket$service_name;
+	c$krb$cipher  = cipher_name[msg$ticket$cipher];
+	c$krb$success = T;
 	}
 
 event krb_as_response(c: connection, msg: KDC_Response) &priority=-5
 	{
-	Log::write(KRB::LOG, c$krb);
-	c$krb$logged = T;
+	do_log(c);
+	}
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options) &priority=5
+	{
+	if ( set_session(c) )
+		return;
+	}
+
+event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
+	{
+	if ( set_session(c) )
+		return;
+
+	c$krb$request_type = "TGS";
+	c$krb$service = msg$service_name;
+	if ( msg?$from ) 
+		c$krb$from = msg$from;
+	c$krb$till = msg$till;
+
+	c$krb$forwardable = msg$kdc_options$forwardable;
+	c$krb$renewable   = msg$kdc_options$renewable;
 	}
 
 event krb_tgs_response(c: connection, msg: KDC_Response) &priority=5
 	{
-	local info: Info;
-
-	if ( c?$krb && c$krb$logged )
+	if ( set_session(c) )
 		return;
 
-	if ( c?$krb )
-		info = c$krb;
-
-	if ( ! info?$ts )
+	if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) )
 		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
+		c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", 
+	                                msg?$client_realm ? msg$client_realm : "");
 		}
 
-	if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) )
-		info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg?$client_realm ? msg$client_realm : "");
-
-	info$service = msg$ticket$service_name;
-	info$cipher  = cipher_name[msg$ticket$cipher];
-	info$success = T;
-
-	c$krb = info;
+	c$krb$service = msg$ticket$service_name;
+	c$krb$cipher  = cipher_name[msg$ticket$cipher];
+	c$krb$success = T;
 	}
 
 event krb_tgs_response(c: connection, msg: KDC_Response) &priority=-5
 	{
-	Log::write(KRB::LOG, c$krb);
-	c$krb$logged = T;
+	do_log(c);
 	}
 
 event connection_state_remove(c: connection) &priority=-5
 	{
-	if ( c?$krb && ! c$krb$logged )
-		Log::write(KRB::LOG, c$krb);
+	do_log(c);
 	}
diff --git a/scripts/base/protocols/radius/main.bro b/scripts/base/protocols/radius/main.bro
index d9c2d08ca8..ea30b27911 100644
--- a/scripts/base/protocols/radius/main.bro
+++ b/scripts/base/protocols/radius/main.bro
@@ -10,52 +10,51 @@ export {
 
 	type Info: record {
 		## Timestamp for when the event happened.
-		ts		: time    &log;
+		ts           : time     &log;
 		## Unique ID for the connection.
-		uid		: string  &log;
+		uid          : string   &log;
 		## The connection's 4-tuple of endpoint addresses/ports.
-		id		: conn_id &log;
+		id           : conn_id  &log;
 		## The username, if present.
-		username	: string &log &optional;
+		username     : string   &log &optional;
 		## MAC address, if present.
-		mac		: string &log &optional;
-		## Remote IP address, if present.
-		remote_ip       : addr &log &optional;
+		mac          : string   &log &optional;
+		## The address given to the network access server, if
+		## present.  This is only a hint from the RADIUS server
+		## and the network access server is not required to honor 
+		## the address.
+		framed_addr  : addr     &log &optional;
+		## Remote IP address, if present.  This is collected
+		## from the Tunnel-Client-Endpoint attribute.
+		remote_ip    : addr     &log &optional;
 		## Connect info, if present.
-		connect_info	: string &log &optional;
+		connect_info : string   &log &optional;
+		## Reply message from the server challenge. This is 
+		## frequently shown to the user authenticating.
+		reply_msg    : string   &log &optional;
 		## Successful or failed authentication.
-		result		: string &log &optional;
-		## Whether this has already been logged and can be ignored.
-		logged		: bool &optional;
+		result       : string   &log &optional;
+		## The duration between the first request and
+		## either the "Access-Accept" message or an error.
+		## If the field is empty, it means that either
+		## the request or response was not seen.
+		ttl          : interval &log &optional;
 
+		## Whether this has already been logged and can be ignored.
+		logged       : bool     &default=F;
 	};
 
-	## The amount of time we wait for an authentication response before
-	## expiring it.
-	const expiration_interval = 10secs &redef;
-
-	## Logs an authentication attempt if we didn't see a response in time.
-	##
-	## t: A table of Info records.
-	##
-	## idx: The index of the connection$radius table corresponding to the
-	##      radius authentication about to expire.
-	##
-	## Returns: 0secs, which when this function is used as an
-	##          :bro:attr:`&expire_func`, indicates to remove the element at
-	##          *idx* immediately.
-	global expire: function(t: table[count] of Info, idx: count): interval;
-
 	## Event that can be handled to access the RADIUS record as it is sent on
-	## to the loggin framework.
+	## to the logging framework.
 	global log_radius: event(rec: Info);
 }
 
 redef record connection += {
-	radius: table[count] of Info &optional &write_expire=expiration_interval &expire_func=expire;
+	radius: Info &optional;
 };
 
 const ports = { 1812/udp };
+redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
@@ -63,64 +62,86 @@ event bro_init() &priority=5
 	Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
 	}
 
-event radius_message(c: connection, result: RADIUS::Message)
+event radius_message(c: connection, result: RADIUS::Message) &priority=5
 	{
-	local info: Info;
-
-	if ( c?$radius && result$trans_id in c$radius )
-		info = c$radius[result$trans_id];
-	else
+	if ( ! c?$radius )
 		{
-		c$radius = table();
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
+		c$radius = Info($ts  = network_time(),
+		                $uid = c$uid,
+		                $id  = c$id);
 		}
 
-	switch ( RADIUS::msg_types[result$code] ) {
+	switch ( RADIUS::msg_types[result$code] )
+		{
 		case "Access-Request":
-			if ( result?$attributes ) {
+			if ( result?$attributes )
+				{
 				# User-Name
-				if ( ! info?$username && 1 in result$attributes )
-					info$username = result$attributes[1][0];
+				if ( ! c$radius?$username && 1 in result$attributes )
+					c$radius$username = result$attributes[1][0];
 
 				# Calling-Station-Id (we expect this to be a MAC)
-				if ( ! info?$mac && 31 in result$attributes )
-					info$mac = normalize_mac(result$attributes[31][0]);
+				if ( ! c$radius?$mac && 31 in result$attributes )
+					c$radius$mac = normalize_mac(result$attributes[31][0]);
 
 				# Tunnel-Client-EndPoint (useful for VPNs)
-				if ( ! info?$remote_ip && 66 in result$attributes )
-					info$remote_ip = to_addr(result$attributes[66][0]);
+				if ( ! c$radius?$remote_ip && 66 in result$attributes )
+					c$radius$remote_ip = to_addr(result$attributes[66][0]);
 
 				# Connect-Info
-				if ( ! info?$connect_info && 77 in result$attributes )
-					info$connect_info = result$attributes[77][0];
-			}
+				if ( ! c$radius?$connect_info && 77 in result$attributes )
+					c$radius$connect_info = result$attributes[77][0];
+				}
+			break;
 
+		case "Access-Challenge":
+			if ( result?$attributes )
+				{
+				# Framed-IP-Address
+				if ( ! c$radius?$framed_addr && 8 in result$attributes )
+					c$radius$framed_addr = raw_bytes_to_v4_addr(result$attributes[8][0]);
+
+				if ( ! c$radius?$reply_msg && 18 in result$attributes )
+					c$radius$reply_msg = result$attributes[18][0];
+				}
 			break;
 
 		case "Access-Accept":
-			info$result = "success";
+			c$radius$result = "success";
 			break;
 
 		case "Access-Reject":
-			info$result = "failed";
+			c$radius$result = "failed";
 			break;
-	}
 
-	if ( info?$result && ! info?$logged )
-		{
-		info$logged = T;
-		Log::write(RADIUS::LOG, info);
+		# TODO: Support RADIUS accounting. (add port 1813/udp above too)
+		#case "Accounting-Request":
+		#	break;
+		#
+		#case "Accounting-Response":
+		#	break;
 		}
-
-	c$radius[result$trans_id] = info;
 	}
 
+event radius_message(c: connection, result: RADIUS::Message) &priority=-5
+	{
+	if ( c$radius?$result )
+		{
+		local ttl = network_time() - c$radius$ts;
+		if ( ttl != 0secs )
+			c$radius$ttl = ttl;
 
-function expire(t: table[count] of Info, idx: count): interval
-	 {
-	 t[idx]$result = "unknown";
-	 Log::write(RADIUS::LOG, t[idx]);
-	 return 0secs;
-	 }
+		Log::write(RADIUS::LOG, c$radius);
+
+		delete c$radius;
+		}
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$radius && ! c$radius$logged )
+		{
+		c$radius$result = "unknown";
+		Log::write(RADIUS::LOG, c$radius);
+		}
+	}
diff --git a/scripts/base/protocols/rdp/main.bro b/scripts/base/protocols/rdp/main.bro
index c6d550c3f7..f543fd2cae 100644
--- a/scripts/base/protocols/rdp/main.bro
+++ b/scripts/base/protocols/rdp/main.bro
@@ -236,10 +236,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		{
 		# Count up X509 certs.
 		++c$rdp$cert_count;
-
-		Files::add_analyzer(f, Files::ANALYZER_X509);
-		Files::add_analyzer(f, Files::ANALYZER_MD5);
-		Files::add_analyzer(f, Files::ANALYZER_SHA1);
 		}
 	}
 
diff --git a/scripts/base/protocols/rfb/main.bro b/scripts/base/protocols/rfb/main.bro
index 3bcb86890b..ff05063538 100644
--- a/scripts/base/protocols/rfb/main.bro
+++ b/scripts/base/protocols/rfb/main.bro
@@ -18,12 +18,12 @@ export {
 		client_minor_version: string &log &optional;
 		## Major version of the server.
 		server_major_version: string &log &optional;
-		## Major version of the client.
+		## Minor version of the server.
 		server_minor_version: string &log &optional;
 
 		## Identifier of authentication method used.
 		authentication_method: string &log &optional;
-		## Whether or not authentication was succesful.
+		## Whether or not authentication was successful.
 		auth: bool &log &optional;
 
 		## Whether the client has an exclusive or a shared session.
diff --git a/scripts/base/protocols/smb/consts.bro b/scripts/base/protocols/smb/consts.bro
index 86c470024c..862a0ae693 100644
--- a/scripts/base/protocols/smb/consts.bro
+++ b/scripts/base/protocols/smb/consts.bro
@@ -10,29 +10,27 @@ export {
 		[0x00000000] = [$id="SUCCESS", $desc="The operation completed successfully."],
 	} &redef &default=function(i: count):StatusCode { local unknown=fmt("unknown-%d", i); return [$id=unknown, $desc=unknown]; };
 
-	## These are files names that are used for special 
-	## cases by the file system and would not be 
-	## considered "normal" files.
-	const pipe_names: set[string] = {
-		"\\netdfs",
-		"\\spoolss",
-		"\\NETLOGON",
-		"\\winreg",
-		"\\lsarpc",
-		"\\samr",
-		"\\srvsvc",
+	## Heuristic detection of named pipes when the pipe
+	## mapping isn't seen. This variable is defined in
+	## init-bare.bro.
+	redef SMB::pipe_filenames = {
+		"spoolss",
+		"winreg",
+		"samr",
 		"srvsvc",
+		"netdfs",
+		"lsarpc",
+		"wkssvc",
 		"MsFteWds",
-		"\\wkssvc",
 	};
 
-	## The UUIDs used by the various RPC endpoints
+	## The UUIDs used by the various RPC endpoints.
 	const rpc_uuids: table[string] of string = {
 		["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = "Server Service",
 		["6bffd098-a112-3610-9833-46c3f87e345a"] = "Workstation Service",
 	} &redef &default=function(i: string):string { return fmt("unknown-uuid-%s", i); };
 
-	## Server service sub commands
+	## Server service sub commands.
 	const srv_cmds: table[count] of string = {
 		[8]  = "NetrConnectionEnum",
 		[9]  = "NetrFileEnum",
@@ -83,7 +81,7 @@ export {
 		[57] = "NetrShareDelEx",
 	} &redef &default=function(i: count):string { return fmt("unknown-srv-command-%d", i); };
 
-	## Workstation service sub commands
+	## Workstation service sub commands.
 	const wksta_cmds: table[count] of string = {
 		[0]  = "NetrWkstaGetInfo",
 		[1]  = "NetrWkstaSetInfo",
@@ -110,7 +108,7 @@ export {
 
 	type rpc_cmd_table: table[count] of string;
 	
-	## The subcommands for RPC endpoints
+	## The subcommands for RPC endpoints.
 	const rpc_sub_cmds: table[string] of rpc_cmd_table = {
 		["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = srv_cmds,
 		["6bffd098-a112-3610-9833-46c3f87e345a"] = wksta_cmds,	
diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro
index c421116d66..9b21b9414e 100644
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@@ -24,7 +24,7 @@ export {
 		## at least one, since some servers might support no authentication at all.
 		## It's important to note that not all of these are failures, since
 		## some servers require two-factor auth (e.g. password AND pubkey)
-		auth_attempts:   count        &log &optional;
+		auth_attempts:   count        &log &default=0;
 		## Direction of the connection. If the client was a local host
 		## logging into an external host, this would be OUTBOUND. INBOUND
 		## would be set for the opposite situation.
@@ -185,13 +185,7 @@ event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5
 		return;
 
 	c$ssh$auth_success = authenticated;
-
-	if ( c$ssh?$auth_attempts )
-		c$ssh$auth_attempts += 1;
-	else
-		{
-		c$ssh$auth_attempts = 1;
-		}
+	c$ssh$auth_attempts += 1;
 
 	if ( authenticated && disable_analyzer_after_detection )
 		disable_analyzer(c$id, c$ssh$analyzer_id);
diff --git a/scripts/base/protocols/ssl/README b/scripts/base/protocols/ssl/README
index 8fa99fd553..1fd0568101 100644
--- a/scripts/base/protocols/ssl/README
+++ b/scripts/base/protocols/ssl/README
@@ -1 +1 @@
-Support for Secure Sockets Layer (SSL) protocol analysis.
+Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.
diff --git a/scripts/base/protocols/ssl/__load__.bro b/scripts/base/protocols/ssl/__load__.bro
index 42287fb039..b8e4d52523 100644
--- a/scripts/base/protocols/ssl/__load__.bro
+++ b/scripts/base/protocols/ssl/__load__.bro
@@ -1,6 +1,7 @@
 @load ./consts
 @load ./main
 @load ./mozilla-ca-list
+@load ./ct-list
 @load ./files
 
 @load-sigs ./dpd.sig
diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index d3def45513..b95d299dca 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -30,7 +30,7 @@ export {
 		return fmt("unknown-%d", i);
 		};
 
-	## TLS content types:
+	# TLS content types:
 	const CHANGE_CIPHER_SPEC = 20;
 	const ALERT = 21;
 	const HANDSHAKE = 22;
@@ -41,7 +41,7 @@ export {
 	const V2_CLIENT_MASTER_KEY = 302;
 	const V2_SERVER_HELLO = 304;
 
-	## TLS Handshake types:
+	# TLS Handshake types:
 	const HELLO_REQUEST       = 0;
 	const CLIENT_HELLO        = 1;
 	const SERVER_HELLO        = 2;
@@ -156,12 +156,17 @@ export {
 		[22] = "encrypt_then_mac",
 		[23] = "extended_master_secret",
 		[24] = "token_binding", # temporary till 2017-03-06 - draft-ietf-tokbind-negotiation
+		[25] = "cached_info",
 		[35] = "SessionTicket TLS",
 		[40] = "key_share", # new for TLS 1.3; was used for extended_random before. State as of TLS 1.3 draft 16
 		[41] = "pre_shared_key", # new for 1.3, state of draft-16
 		[42] = "early_data", # new for 1.3, state of draft-16
 		[43] = "supported_versions", # new for 1.3, state of draft-16
 		[44] = "cookie", # new for 1.3, state of draft-16
+		[45] = "psk_key_exchange_modes", # new for 1.3, state of draft-18
+		[46] = "TicketEarlyDataInfo", # new for 1.3, state of draft-16
+		[47] = "certificate_authorities", # new for 1.3, state of draft-18
+		[48] = "oid_filters", # new for 1.3, state of draft-18
 		[13172] = "next_protocol_negotiation",
 		[13175] = "origin_bound_certificates",
 		[13180] = "encrypted_client_certificates",
@@ -215,7 +220,7 @@ export {
 		[0xFF02] = "arbitrary_explicit_char2_curves"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
-	## Mapping between numeric codes and human readable string for SSL/TLC EC point formats.
+	## Mapping between numeric codes and human readable string for SSL/TLS EC point formats.
 	# See http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-9
 	const ec_point_formats: table[count] of string = {
 		[0] = "uncompressed",
@@ -595,6 +600,11 @@ export {
 	const TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAC;
 	const TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAD;
 	const TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAE;
+	# draft-ietf-tls-ecdhe-psk-aead-05
+	const TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = 0xD001;
+	const TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 = 0xD002;
+	const TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = 0xD003;
+	const TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = 0xD004;
 
 	const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE;
 	const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF;
@@ -973,6 +983,10 @@ export {
 		[TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
 		[TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
 		[TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256",
+		[TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256",
+		[TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384] = "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384",
+		[TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256",
+		[TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256",
 		[SSL_RSA_FIPS_WITH_DES_CBC_SHA] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA",
 		[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
 		[SSL_RSA_FIPS_WITH_DES_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2",
diff --git a/scripts/base/protocols/ssl/ct-list.bro b/scripts/base/protocols/ssl/ct-list.bro
new file mode 100644
index 0000000000..d48f58877c
--- /dev/null
+++ b/scripts/base/protocols/ssl/ct-list.bro
@@ -0,0 +1,48 @@
+#
+# Do not edit this file. This file is automatically generated by gen-ct-list.pl
+# File generated at Thu Jul 27 16:59:25 2017
+# File generated from https://www.gstatic.com/ct/log_list/all_logs_list.json
+#
+
+@load base/protocols/ssl
+module SSL;
+redef ct_logs += {
+["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"),
+["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="ct.googleapis.com/icarus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"),
+["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="ct.googleapis.com/pilot/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"),
+["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="ct.googleapis.com/rocketeer/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"),
+["\xbb\xd9\xdf\xbc\x1f\x8a\x71\xb5\x93\x94\x23\x97\xaa\x92\x7b\x47\x38\x57\x95\x0a\xab\x52\xe8\x1a\x90\x96\x64\x36\x8e\x1e\xd1\x85"] = CTInfo($description="Google 'Skydiver' log", $operator="Google", $url="ct.googleapis.com/skydiver/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x12\x6c\x86\x0e\xf6\x17\xb1\x12\x6c\x37\x25\xd2\xad\x87\x3d\x0e\x31\xec\x21\xad\xb1\xcd\xbe\x14\x47\xb6\x71\x56\x85\x7a\x9a\xb7\x3d\x89\x90\x7b\xc6\x32\x3a\xf8\xda\xce\x8b\x01\xfe\x3f\xfc\x71\x91\x19\x8e\x14\x6e\x89\x7a\x5d\xb4\xab\x7e\xe1\x4e\x1e\x7c\xac"),
+["\xa8\x99\xd8\x78\x0c\x92\x90\xaa\xf4\x62\xf3\x18\x80\xcc\xfb\xd5\x24\x51\xe9\x70\xd0\xfb\xf5\x91\xef\x75\xb0\xd9\x9b\x64\x56\x81"] = CTInfo($description="Google 'Submariner' log", $operator="Google", $url="ct.googleapis.com/submariner/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x39\xf8\x9f\x20\x62\xd4\x57\x55\x68\xa2\xef\x49\x2d\xf0\x39\x2d\x9a\xde\x44\xb4\x94\x30\xe0\x9e\x7a\x27\x3c\xab\x70\xf0\xd1\xfa\x51\x90\x63\x16\x57\x41\xad\xab\x6d\x1f\x80\x74\x30\x79\x02\x5e\x2d\x59\x84\x07\x24\x23\xf6\x9f\x35\xb8\x85\xb8\x42\x45\xa4\x4f"),
+["\x1d\x02\x4b\x8e\xb1\x49\x8b\x34\x4d\xfd\x87\xea\x3e\xfc\x09\x96\xf7\x50\x6f\x23\x5d\x1d\x49\x70\x61\xa4\x77\x3c\x43\x9c\x25\xfb"] = CTInfo($description="Google 'Daedalus' log", $operator="Google", $url="ct.googleapis.com/daedalus/", $maximum_merge_delay=604800, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6e\x0c\x1c\xba\xee\x2b\x6a\x41\x85\x60\x1d\x7b\x7e\xab\x08\x2c\xfc\x0c\x0a\xa5\x08\xb3\x3e\xd5\x70\x24\xd1\x6d\x1d\x2d\xb6\xb7\xf3\x8b\x36\xdc\x23\x4d\x95\x63\x12\xbb\xe4\x86\x8d\xcc\xe9\xd1\xee\xa1\x40\xa2\xdf\x0b\xa3\x06\x0a\x30\xca\x8d\xac\xa4\x29\x56"),
+["\xb0\xcc\x83\xe5\xa5\xf9\x7d\x6b\xaf\x7c\x09\xcc\x28\x49\x04\x87\x2a\xc7\xe8\x8b\x13\x2c\x63\x50\xb7\xc6\xfd\x26\xe1\x6c\x6c\x77"] = CTInfo($description="Google 'Testtube' log", $operator="Google", $url="ct.googleapis.com/testtube/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xc3\xc8\xbc\x4b\xba\xa2\x18\x4b\x3d\x35\x7b\xf4\x64\x91\x61\xea\xeb\x8e\x99\x1d\x90\xed\xd3\xe9\xaf\x39\x3d\x5c\xd3\x46\x91\x45\xe3\xce\xac\x76\x48\x3b\xd1\x7e\x2c\x0a\x63\x00\x65\x8d\xf5\xae\x8e\x8c\xc7\x11\x25\x4f\x43\x2c\x9d\x19\xa1\xe1\x91\xa4\xb3\xfe"),
+["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="ct1.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"),
+["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert Log Server 2", $operator="DigiCert", $url="ct2.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"),
+["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="Symantec", $url="ct.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"),
+["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec 'Vega' log", $operator="Symantec", $url="vega.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"),
+["\xa7\xce\x4a\x4e\x62\x07\xe0\xad\xde\xe5\xfd\xaa\x4b\x1f\x86\x76\x87\x67\xb5\xd0\x02\xa5\x5d\x47\x31\x0e\x7e\x67\x0a\x95\xea\xb2"] = CTInfo($description="Symantec Deneb", $operator="Symantec", $url="deneb.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\x82\x1e\xa3\xcd\x3a\x80\x84\x1e\x97\xb8\xb7\x07\x19\xae\x76\x1a\x0e\xf8\x55\x76\x9d\x12\x33\x4e\x91\x88\xe4\xd0\x48\x50\x5c\xc1\x9f\x6a\x72\xd6\x01\xf5\x14\xd6\xd0\x38\x6e\xe1\x32\xbc\x67\x0d\x37\xe8\xba\x22\x10\xd1\x72\x86\x79\x28\x96\xf9\x17\x1e\x98"),
+["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec 'Sirius' log", $operator="Symantec", $url="sirius.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"),
+["\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"] = CTInfo($description="Certly.IO log", $operator="Certly", $url="log.certly.io/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c\xd0\x4a\xc2\x66\xdb\x48"),
+["\x74\x61\xb4\xa0\x9c\xfb\x3d\x41\xd7\x51\x59\x57\x5b\x2e\x76\x49\xa4\x45\xa8\xd2\x77\x09\xb0\xcc\x56\x4a\x64\x82\xb7\xeb\x41\xa3"] = CTInfo($description="Izenpe log", $operator="Izenpe", $url="ct.izenpe.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8\xeb\xf7\x27\x3d\xd9\xb2\x0a\x81\x5f\x2f\x0d\x75\x38\x94\x37\x99\x1e\xf6\x07\x76\xe0\xee\xbe"),
+["\x89\x41\x44\x9c\x70\x74\x2e\x06\xb9\xfc\x9c\xe7\xb1\x16\xba\x00\x24\xaa\x36\xd5\x9a\xf4\x4f\x02\x04\x40\x4f\x00\xf7\xea\x85\x66"] = CTInfo($description="Izenpe 'Argi' log", $operator="Izenpe", $url="ct.izenpe.eus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xc8\x0e\x23\x3e\x9e\x02\x3c\x9a\xb8\x07\x4a\x2a\x05\xff\x4a\x4b\x88\xd4\x8a\x4d\x39\xce\xf7\xc5\xf2\xb6\x37\xe9\xa3\xed\xe4\xf5\x45\x09\x0e\x67\x14\xfd\x53\x24\xd5\x3a\x94\xf2\xea\xb5\x13\xd9\x1d\x8b\x5c\xa7\xc3\xf3\x6b\xd8\x3f\x2d\x3b\x65\x72\x58\xd6"),
+["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign CT log #1", $operator="Wosign", $url="ct.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"),
+["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign log", $operator="Wosign", $url="ctlog.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"),
+["\x63\xd0\x00\x60\x26\xdd\xe1\x0b\xb0\x60\x1f\x45\x24\x46\x96\x5e\xe2\xb6\xea\x2c\xd4\xfb\xc9\x5a\xc8\x66\xa5\x50\xaf\x90\x75\xb7"] = CTInfo($description="WoSign log 2", $operator="Wosign", $url="ctlog2.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa5\x8c\xe8\x35\x2e\x8e\xe5\x6a\x75\xad\x5c\x4b\x31\x61\x29\x9d\x30\x57\x8e\x02\x13\x5f\xe9\xca\xbb\x52\xa8\x43\x05\x60\xbf\x0d\x73\x57\x77\xb2\x05\xd8\x67\xf6\xf0\x33\xc9\xf9\x44\xde\xb6\x53\x73\xaa\x0c\x55\xc2\x83\x0a\x4b\xce\x5e\x1a\xc7\x17\x1d\xb3\xcd"),
+["\xc9\xcf\x89\x0a\x21\x10\x9c\x66\x6c\xc1\x7a\x3e\xd0\x65\xc9\x30\xd0\xe0\x13\x5a\x9f\xeb\xa8\x5a\xf1\x42\x10\xb8\x07\x24\x21\xaa"] = CTInfo($description="GDCA CT log #1", $operator="Wang Shengnan", $url="ct.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xad\x0f\x30\xad\x9e\x79\xa4\x38\x89\x26\x54\x86\xab\x41\x72\x90\x6f\xfb\xca\x17\xa6\xac\xee\xc6\x9f\x7d\x02\x05\xec\x41\xa8\xc7\x41\x9d\x32\x49\xad\xb0\x39\xbd\x3a\x87\x3e\x7c\xee\x68\x6c\x60\xd1\x47\x2a\x93\xae\xe1\x40\xf4\x0b\xc8\x35\x3c\x1d\x0f\x65\xd3"),
+["\x92\x4a\x30\xf9\x09\x33\x6f\xf4\x35\xd6\x99\x3a\x10\xac\x75\xa2\xc6\x41\x72\x8e\x7f\xc2\xd6\x59\xae\x61\x88\xff\xad\x40\xce\x01"] = CTInfo($description="GDCA CT log #2", $operator="GDCA", $url="ctlog.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5b\x4a\xc7\x01\xb7\x74\x54\xba\x40\x9c\x43\x75\x94\x3f\xac\xef\xb3\x71\x56\xb8\xd3\xe2\x7b\xae\xa1\xb1\x3e\x53\xaa\x97\x33\xa1\x82\xbb\x5f\x5d\x1c\x0b\xfa\x85\x0d\xbc\xf7\xe5\xa0\xe0\x22\xf0\xa0\x89\xd9\x0a\x7f\x5f\x26\x94\xd3\x24\xe3\x99\x2e\xe4\x15\x8d"),
+["\xdb\x76\xfd\xad\xac\x65\xe7\xd0\x95\x08\x88\x6e\x21\x59\xbd\x8b\x90\x35\x2f\x5f\xea\xd3\xe3\xdc\x5e\x22\xeb\x35\x0a\xcc\x7b\x98"] = CTInfo($description="Comodo 'Dodo' CT log", $operator="Comodo", $url="dodo.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2c\xf5\xc2\x31\xf5\x63\x43\x6a\x16\x4a\x0a\xde\xc2\xee\x1f\x21\x6e\x12\x7e\x1d\xe5\x72\x8f\x74\x0b\x02\x99\xd3\xad\x69\xbc\x02\x35\x79\xf9\x61\xe9\xcf\x00\x08\x4f\x74\xa4\xa3\x34\x9a\xe0\x43\x1c\x23\x7e\x8f\x41\xd5\xee\xc7\x1c\xa3\x82\x8a\x40\xfa\xaa\xe0"),
+["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"),
+["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"),
+["\xa5\x77\xac\x9c\xed\x75\x48\xdd\x8f\x02\x5b\x67\xa2\x41\x08\x9d\xf8\x6e\x0f\x47\x6e\xc2\x03\xc2\xec\xbe\xdb\x18\x5f\x28\x26\x38"] = CTInfo($description="CNNIC CT log", $operator="CNNIC", $url="ctserver.cnnic.cn/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08\x61\x9a\x29\x32\x04\xd3\x25\x63\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6\x5e\x9a\xf7\x33\x3b\x80\x1b\xe7\xb6\x3e\x5f\x2d\xa1\x66\xf6\x95\x4a\x84\xa6\x21\x56\x79\xe8\xf7\x85\xee\x5d\xe3\x7c\x12\xc0\xe0\x89\x22\x09\x22\x3e\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2\x7a\xd6\x61\x2e\x87\x11\xb9\x78\x40\x89\x75\xdb\x0c\xdc\x90\xe0\xa4\x79\xd6\xd5\x5e\x6e\xd1\x2a\xdb\x34\xf4\x99\x3f\x65\x89\x3b\x46\xc2\x29\x2c\x15\x07\x1c\xc9\x4b\x1a\x54\xf8\x6c\x1e\xaf\x60\x27\x62\x0a\x65\xd5\x9a\xb9\x50\x36\x16\x6e\x71\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6\x21\xa3\x29\x90\x86\x2d\x77\xde\xbb\x4c\xd4\xcf\xfd\xd2\xcf\x82\x2c\x4d\xd4\xf2\xc2\x2d\xac\xa9\xbe\xea\xc3\x19\x25\x43\xb2\xe5\x9a\x6c\x0d\xc5\x1c\xa5\x8b\xf7\x3f\x30\xaf\xb9\x01\x91\xb7\x69\x12\x12\xe5\x83\x61\xfe\x34\x00\xbe\xf6\x71\x8a\xc7\xeb\x50\x92\xe8\x59\xfe\x15\x91\xeb\x96\x97\xf8\x23\x54\x3f\x2d\x8e\x07\xdf\xee\xda\xb3\x4f\xc8\x3c\x9d\x6f\xdf\x3c\x2c\x43\x57\xa1\x47\x0c\x91\x04\xf4\x75\x4d\xda\x89\x81\xa4\x14\x06\x34\xb9\x98\xc3\xda\xf1\xfd\xed\x33\x36\xd3\x16\x2d\x35\x02\x03\x01\x00\x01"),
+["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom log", $operator="StartSSL", $url="ct.startssl.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"),
+["\xe0\x12\x76\x29\xe9\x04\x96\x56\x4e\x3d\x01\x47\x98\x44\x98\xaa\x48\xf8\xad\xb1\x66\x00\xeb\x79\x02\xa1\xef\x99\x09\x90\x62\x73"] = CTInfo($description="PuChuangSiDa CT log", $operator="Beijing PuChuangSiDa Technology Ltd.", $url="www.certificatetransparency.cn/ct/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xcf\x2f\x4b\x70\xac\xf1\x0d\x96\xbf\xe8\x0a\xfe\x44\x9d\xd4\x8c\x17\x9d\xc3\x9a\x10\x11\x84\x13\xed\x8c\xf9\x37\x6d\x83\xe4\x00\x6f\xb1\x4b\xc0\xa6\x89\xc7\x61\x8f\x9a\x34\xbb\x56\x52\xca\x03\x56\x50\xef\x24\x7f\x4b\x49\xe9\x35\x81\xdd\xf0\xe7\x17\xf5\x72\xd2\x23\xc5\xe3\x13\x7f\xd7\x8e\x78\x35\x8f\x49\xde\x98\x04\x8a\x63\xaf\xad\xa2\x39\x70\x95\x84\x68\x4b\x91\x33\xfe\x4c\xe1\x32\x17\xc2\xf2\x61\xb8\x3a\x8d\x39\x7f\xd5\x95\x82\x3e\x56\x19\x50\x45\x6f\xcb\x08\x33\x0d\xd5\x19\x42\x08\x1a\x48\x42\x10\xf1\x68\xc3\xc3\x41\x13\xcb\x0d\x1e\xdb\x02\xb7\x24\x7a\x51\x96\x6e\xbc\x08\xea\x69\xaf\x6d\xef\x92\x98\x8e\x55\xf3\x65\xe5\xe8\x9c\xbe\x1a\x47\x60\x30\x7d\x7a\x80\xad\x56\x83\x7a\x93\xc3\xae\x93\x2b\x6a\x28\x8a\xa6\x5f\x63\x19\x0c\xbe\x7c\x7b\x21\x63\x41\x38\xb7\xf7\xe8\x76\x73\x6b\x85\xcc\xbc\x72\x2b\xc1\x52\xd0\x5b\x5d\x31\x4e\x9d\x2a\xf3\x4d\x9b\x64\x14\x99\x26\xc6\x71\xf8\x7b\xf8\x44\xd5\xe3\x23\x20\xf3\x0a\xd7\x8b\x51\x3e\x72\x80\xd2\x78\x78\x35\x2d\x4a\xe7\x40\x99\x11\x95\x34\xd4\x2f\x7f\xf9\x5f\x35\x37\x02\x03\x01\x00\x01"),
+["\x55\x81\xd4\xc2\x16\x90\x36\x01\x4a\xea\x0b\x9b\x57\x3c\x53\xf0\xc0\xe4\x38\x78\x70\x25\x08\x17\x2f\xa3\xaa\x1d\x07\x13\xd3\x0c"] = CTInfo($description="Comodo 'Sabre' CT log", $operator="Comodo", $url="sabre.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf2\x6f\xd2\x89\x0f\x3f\xc5\xf8\x87\x1e\xab\x65\xb3\xd9\xbb\x17\x23\x8c\x06\x0e\x09\x55\x96\x3d\x0a\x08\xa2\xc5\x71\xb3\xd1\xa9\x2f\x28\x3e\x83\x10\xbf\x12\xd0\x44\x66\x15\xef\x54\xe1\x98\x80\xd0\xce\x24\x6d\x3e\x67\x9a\xe9\x37\x23\xce\x52\x93\x86\xda\x80"),
+["\x6f\x53\x76\xac\x31\xf0\x31\x19\xd8\x99\x00\xa4\x51\x15\xff\x77\x15\x1c\x11\xd9\x02\xc1\x00\x29\x06\x8d\xb2\x08\x9a\x37\xd9\x13"] = CTInfo($description="Comodo 'Mammoth' CT log", $operator="Comodo", $url="mammoth.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xef\xe4\x7d\x74\x2e\x15\x15\xb6\xe9\xbb\x23\x8b\xfb\x2c\xb5\xe1\xc7\x80\x98\x47\xfb\x40\x69\x68\xfc\x49\xad\x61\x4e\x83\x47\x3c\x1a\xb7\x8d\xdf\xff\x7b\x30\xb4\xba\xff\x2f\xcb\xa0\x14\xe3\xad\xd5\x85\x3f\x44\x59\x8c\x8c\x60\x8b\xd7\xb8\xb1\xbf\xae\x8c\x67"),
+["\x53\x7b\x69\xa3\x56\x43\x35\xa9\xc0\x49\x04\xe3\x95\x93\xb2\xc2\x98\xeb\x8d\x7a\x6e\x83\x02\x36\x35\xc6\x27\x24\x8c\xd6\xb4\x40"] = CTInfo($description="Nordu 'flimsy' log", $operator="NORDUnet", $url="flimsy.ct.nordu.net:8080/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe2\xa5\xaa\xe9\xa7\xe1\x05\x48\xb4\x39\xd7\x16\x51\x88\x72\x24\xb3\x57\x4e\x41\xaa\x43\xd3\xcc\x4b\x99\x6a\xa0\x28\x24\x57\x68\x75\x66\xfa\x4d\x8c\x11\xf6\xbb\xc5\x1b\x81\xc3\x90\xc2\xa0\xe8\xeb\xac\xfa\x05\x64\x09\x1a\x89\x68\xcd\x96\x26\x34\x71\x36\x91"),
+["\xaa\xe7\x0b\x7f\x3c\xb8\xd5\x66\xc8\x6c\x2f\x16\x97\x9c\x9f\x44\x5f\x69\xab\x0e\xb4\x53\x55\x89\xb2\xf7\x7a\x03\x01\x04\xf3\xcd"] = CTInfo($description="Nordu 'plausible' log", $operator="NORDUnet", $url="plausible.ct.nordu.net/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf5\x45\x7d\xfa\x33\xb6\x30\x24\xf3\x91\xa6\xe8\x74\xed\x85\xec\xb3\x34\xdc\xc5\x01\x73\xc3\x2b\x74\x0b\x64\x71\x6e\xaf\xe8\x60\x3d\xb5\xa4\xd3\xc3\xd4\x09\xaa\x87\xe6\xd0\x16\xdd\x02\xc6\xed\x24\xbf\xee\x9f\x21\x1f\xd3\x32\x24\x46\x05\xe3\x8f\x36\x98\xa9"),
+["\xcf\x55\xe2\x89\x23\x49\x7c\x34\x0d\x52\x06\xd0\x53\x53\xae\xb2\x58\x34\xb5\x2f\x1f\x8d\xc9\x52\x68\x09\xf2\x12\xef\xdd\x7c\xa6"] = CTInfo($description="SHECA CT log 1", $operator="SHECA", $url="ctlog.sheca.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x11\xa9\x60\x2b\xb4\x71\x45\x66\xe0\x2e\xde\xd5\x87\x3b\xd5\xfe\xf0\x92\x37\xf4\x68\xc6\x92\xdd\x3f\x1a\xe2\xbc\x0c\x22\xd6\x99\x63\x29\x6e\x32\x28\x14\xc0\x76\x2c\x80\xa8\x22\x51\x91\xd6\xeb\xa6\xd8\xf1\xec\xf0\x07\x7e\xb0\xfc\x76\x70\x76\x72\x7c\x91\xe9"),
+["\x32\xdc\x59\xc2\xd4\xc4\x19\x68\xd5\x6e\x14\xbc\x61\xac\x8f\x0e\x45\xdb\x39\xfa\xf3\xc1\x55\xaa\x42\x52\xf5\x00\x1f\xa0\xc6\x23"] = CTInfo($description="SHECA CT log 2", $operator="SHECA", $url="ct.sheca.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xb1\x8e\x1d\x8a\xaa\x3a\xac\xce\x86\xcb\x53\x76\xe8\xa8\x9d\x59\xbe\x17\x88\x03\x07\xf2\x27\xe0\x82\xbe\xb1\xfc\x67\x3b\x46\xee\xd3\xf1\x8d\xd6\x77\xe8\xa3\xb4\xdb\x09\x5c\xa0\x09\x43\xfc\x5f\xd0\x68\x34\x23\x24\x08\xc2\x4f\xd8\xd2\xb6\x9d\xed\xd5\x8c\xdb"),
+["\x96\x06\xc0\x2c\x69\x00\x33\xaa\x1d\x14\x5f\x59\xc6\xe2\x64\x8d\x05\x49\xf0\xdf\x96\xaa\xb8\xdb\x91\x5a\x70\xd8\xec\xf3\x90\xa5"] = CTInfo($description="Akamai CT Log", $operator="Akamai", $url="ct.akamai.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x43\x79\xeb\x49\x5c\x50\x2a\x4a\x6a\x8f\x59\x93\xbc\xc3\x42\x76\xc2\x99\xf8\x27\x81\x3c\x06\x6c\xd2\xc8\x04\x8f\x74\x7b\xb4\xb5\x21\xf2\xe3\xa8\xdc\x33\xb9\xfe\x25\xe9\x3d\x04\xfc\x3f\xb4\xae\x40\xe3\x45\x7e\x84\x92\x2a\xd8\x52\xeb\x1f\x3f\x73\x13\xd0\xc8"),
+["\x39\x37\x6f\x54\x5f\x7b\x46\x07\xf5\x97\x42\xd7\x68\xcd\x5d\x24\x37\xbf\x34\x73\xb6\x53\x4a\x48\x34\xbc\xf7\x2e\x68\x1c\x83\xc9"] = CTInfo($description="Alpha CT Log", $operator="Matt Palmer", $url="alpha.ctlogs.org/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa2\xf7\xed\x13\xe1\xd3\x5c\x02\x08\xc4\x8e\x8b\x9b\x8b\x3b\x39\x68\xc7\x92\x6a\x38\xa1\x4f\x23\xc5\xa5\x6f\x6f\xd7\x65\x81\xf8\xc1\x9b\xf4\x9f\xa9\x8b\x45\xf4\xb9\x4e\x1b\xc9\xa2\x69\x17\xa5\x78\x87\xd9\xce\x88\x6f\x41\x03\xbb\xa3\x2a\xe3\x77\x97\x8d\x78"),
+["\x29\x6a\xfa\x2d\x56\x8b\xca\x0d\x2e\xa8\x44\x95\x6a\xe9\x72\x1f\xc3\x5f\xa3\x55\xec\xda\x99\x69\x3a\xaf\xd4\x58\xa7\x1a\xef\xdd"] = CTInfo($description="Let's Encrypt 'Clicky' log", $operator="Let's Encrypt", $url="clicky.ct.letsencrypt.org/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x1f\x1a\x15\x83\x77\x00\x75\x62\xb9\x9f\xf6\x06\x05\xed\x95\x89\x83\x41\x81\x97\xe7\xe0\xd4\x33\xfe\x76\xba\x3b\xc9\x49\xc2\xcd\xf1\xcf\xfe\x12\x70\xd7\xbe\xa8\x22\x5f\xb2\xa4\x67\x02\x7b\x71\xae\x1d\xac\xa8\xe9\xd1\x08\xd5\xce\xef\x33\x7a\xc3\x5f\x00\xdc"),
+["\xb0\xb7\x84\xbc\x81\xc0\xdd\xc4\x75\x44\xe8\x83\xf0\x59\x85\xbb\x90\x77\xd1\x34\xd8\xab\x88\xb2\xb2\xe5\x33\x98\x0b\x8e\x50\x8b"] = CTInfo($description="Up In The Air 'Behind the Sofa' log", $operator="Up In The Air Consulting", $url="ct.filippo.io/behindthesofa/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x59\x39\xb2\xa6\x94\xc6\x32\xb9\xfe\x63\x69\x1e\x30\x3b\xa3\x5b\xd5\xb0\x43\xc9\x50\x1e\x95\xa5\x2d\xa7\x4c\x4a\x49\x8e\x8b\x8f\xb7\xf8\xcc\xe2\x5b\x97\x72\xd5\xea\x3f\xb1\x21\x48\xe8\x44\x6b\x7f\xea\xef\x22\xff\xdf\xf4\x5f\x3b\x6d\x77\x04\xb1\xaf\x90\x8f"),
+};
diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig
index 2ebe1cc634..1b8cad2f76 100644
--- a/scripts/base/protocols/ssl/dpd.sig
+++ b/scripts/base/protocols/ssl/dpd.sig
@@ -1,7 +1,7 @@
 signature dpd_ssl_server {
   ip-proto == tcp
   # Server hello.
-  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/
+  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50]))|...?\x04..\x00\x02).*/
   requires-reverse-signature dpd_ssl_client
   enable "ssl"
   tcp-state responder
@@ -10,7 +10,7 @@ signature dpd_ssl_server {
 signature dpd_ssl_client {
   ip-proto == tcp
   # Client hello.
-  payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03]).*/
+  payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03\x04]).*/
   tcp-state originator
 }
 
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index 90273639e5..8750645b36 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -11,7 +11,7 @@ export {
 		## complete signing chain.
 		cert_chain: vector of Files::Info &optional;
 
-		## An ordered vector of all certicate file unique IDs for the
+		## An ordered vector of all certificate file unique IDs for the
 		## certificates offered by the server.
 		cert_chain_fuids: vector of string &optional &log;
 
@@ -19,7 +19,7 @@ export {
 		## complete signing chain.
 		client_cert_chain: vector of Files::Info &optional;
 
-		## An ordered vector of all certicate file unique IDs for the
+		## An ordered vector of all certificate file unique IDs for the
 		## certificates offered by the client.
 		client_cert_chain_fuids: vector of string &optional &log;
 
@@ -91,11 +91,26 @@ event bro_init() &priority=5
 	                          $describe        = SSL::describe_file]);
 	}
 
-event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
+event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
 	{
-	if ( ! c?$ssl )
+	if ( |f$conns| != 1 )
 		return;
 
+	if ( ! f?$info || ! f$info?$mime_type )
+		return;
+
+	if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert"
+	         || f$info$mime_type == "application/pkix-cert" ) )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
 	if ( ! c$ssl?$cert_chain )
 		{
 		c$ssl$cert_chain = vector();
@@ -104,7 +119,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		c$ssl$client_cert_chain_fuids = string_vec();
 		}
 
-	if ( is_orig )
+	if ( f$is_orig )
 		{
 		c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
 		c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
@@ -114,12 +129,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
 		c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
 		}
-
-	Files::add_analyzer(f, Files::ANALYZER_X509);
-	# always calculate hashes. They are not necessary for base scripts
-	# but very useful for identification, and required for policy scripts
-	Files::add_analyzer(f, Files::ANALYZER_MD5);
-	Files::add_analyzer(f, Files::ANALYZER_SHA1);
 	}
 
 event ssl_established(c: connection) &priority=6
diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index a973ec3b71..f806449368 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -44,10 +44,10 @@ export {
 		## is being resumed. It's not logged.
 		client_key_exchange_seen: bool     &default=F;
 		## Count to track if the server already sent an application data
-		## packet fot TLS 1.3. Used to track when a session was established.
+		## packet for TLS 1.3. Used to track when a session was established.
 		server_appdata:   count            &default=0;
 		## Flag to track if the client already sent an application data
-		## packet fot TLS 1.3. Used to track when a session was established.
+		## packet for TLS 1.3. Used to track when a session was established.
 		client_appdata:   bool             &default=F;
 
 		## Last alert that was seen during the connection.
@@ -62,9 +62,8 @@ export {
 		analyzer_id:      count            &optional;
 
 		## Flag to indicate if this ssl session has been established
-		## succesfully, or if it was aborted during the handshake.
+		## successfully, or if it was aborted during the handshake.
 		established:      bool             &log &default=F;
-
 		## Flag to indicate if this record already has been logged, to
 		## prevent duplicates.
 		logged:           bool             &default=F;
@@ -74,6 +73,26 @@ export {
 	## script sets this to Mozilla's root CA list.
 	const root_certs: table[string] of string = {} &redef;
 
+	## The record type which contains the field for the Certificate
+	## Transparency log bundle.
+	type CTInfo: record {
+		## Description of the Log
+		description:           string;
+		## Operator of the Log
+		operator:              string;
+		## Public key of the Log.
+		key:                   string;
+		## Maximum merge delay of the Log
+		maximum_merge_delay:   count;
+		## URL of the Log
+		url:                   string;
+	};
+
+	## The Certificate Transparency log bundle. By default, the ct-list.bro
+	## script sets this to the current list of known logs. Entries
+	## are indexed by (binary) log-id.
+	const ct_logs: table[string] of CTInfo = {} &redef;
+
 	## If true, detach the SSL analyzer from the connection to prevent
 	## continuing to process encrypted traffic. Helps with performance
 	## (especially with large file transfers).
@@ -90,6 +109,10 @@ export {
 	## Event that can be handled to access the SSL
 	## record as it is sent on to the logging framework.
 	global log_ssl: event(rec: Info);
+
+	# Hook that can be used to perform actions right before the log record
+	# is written.
+	global ssl_finishing: hook(c: connection);
 }
 
 redef record connection += {
@@ -281,11 +304,22 @@ event ssl_established(c: connection) &priority=7
 	c$ssl$established = T;
 	}
 
+event ssl_established(c: connection) &priority=20
+	{
+	hook ssl_finishing(c);
+	}
+
 event ssl_established(c: connection) &priority=-5
 	{
 	finish(c, T);
 	}
 
+event connection_state_remove(c: connection) &priority=20
+	{
+	if ( c?$ssl && ! c$ssl$logged )
+		hook ssl_finishing(c);
+	}
+
 event connection_state_remove(c: connection) &priority=-5
 	{
 	if ( c?$ssl )
diff --git a/scripts/base/utils/json.bro b/scripts/base/utils/json.bro
index b6d0093b58..05dcff1e27 100644
--- a/scripts/base/utils/json.bro
+++ b/scripts/base/utils/json.bro
@@ -25,6 +25,10 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 		case "port":
 		return cat(port_to_count(to_port(cat(v))));
 
+		case "enum":
+		fallthrough;
+		case "interval":
+		fallthrough;
 		case "addr":
 		fallthrough;
 		case "subnet":
@@ -35,14 +39,15 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 		case "count":
 		fallthrough;
 		case "time":
-		fallthrough;
-		case "double":
-		fallthrough;
-		case "bool":
-		fallthrough;
-		case "enum":
 		return cat(v);
 
+		case "double":
+		return fmt("%.16g", v);
+
+		case "bool":
+		local bval: bool = v;
+		return bval ? "true" : "false";
+
 		default:
 		break;
 		}
diff --git a/scripts/policy/files/x509/log-ocsp.bro b/scripts/policy/files/x509/log-ocsp.bro
new file mode 100644
index 0000000000..e416535dd4
--- /dev/null
+++ b/scripts/policy/files/x509/log-ocsp.bro
@@ -0,0 +1,62 @@
+##! Enable logging of OCSP responses.
+#
+# This script is in policy and not loaded by default because OCSP logging
+# does not provide a lot of interesting information in most environments.
+
+module OCSP;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	## The record type which contains the fields of the OCSP log.
+	type Info: record {
+		## Time when the OCSP reply was encountered.
+		ts: time &log;
+		## File id of the OCSP reply.
+		id: string &log;
+		## Hash algorithm used to generate issuerNameHash and issuerKeyHash.
+		hashAlgorithm: string &log;
+		## Hash of the issuer's distingueshed name.
+		issuerNameHash: string &log;
+		## Hash of the issuer's public key.
+		issuerKeyHash: string &log;
+		## Serial number of the affected certificate.
+		serialNumber: string &log;
+		## Status of the affected certificate.
+		certStatus: string &log;
+		## Time at which the certificate was revoked.
+		revoketime: time &log &optional;
+		## Reason for which the certificate was revoked.
+		revokereason: string &log &optional;
+		## The time at which the status being shows is known to have been correct.
+		thisUpdate: time &log;
+		## The latest time at which new information about the status of the certificate will be available.
+		nextUpdate: time &log &optional;
+	};
+
+	## Event that can be handled to access the OCSP record
+	## as it is sent to the logging framework.
+	global log_ocsp: event(rec: Info);
+}
+
+event bro_init()
+	{
+	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	local wr = OCSP::Info($ts=f$info$ts, $id=f$id, $hashAlgorithm=hashAlgorithm, $issuerNameHash=issuerNameHash,
+			      $issuerKeyHash=issuerKeyHash, $serialNumber=serialNumber, $certStatus=certStatus,
+			      $thisUpdate=thisUpdate);
+
+	if ( revokereason != "" )
+		wr$revokereason = revokereason;
+	if ( time_to_double(revoketime) != 0 )
+		wr$revoketime = revoketime;
+	if ( time_to_double(nextUpdate) != 0 )
+		wr$nextUpdate = nextUpdate;
+
+	Log::write(LOG, wr);
+	}
diff --git a/scripts/policy/frameworks/intel/do_notice.bro b/scripts/policy/frameworks/intel/do_notice.bro
index fc75a8efee..094b5aeb5e 100644
--- a/scripts/policy/frameworks/intel/do_notice.bro
+++ b/scripts/policy/frameworks/intel/do_notice.bro
@@ -7,7 +7,7 @@ module Intel;
 
 export {
 	redef enum Notice::Type += {
-		## Intel::Notice is a notice that happens when an intelligence
+		## This notice is generated when an intelligence
 		## indicator is denoted to be notice-worthy.
 		Intel::Notice
 	};
diff --git a/scripts/policy/frameworks/intel/seen/__load__.bro b/scripts/policy/frameworks/intel/seen/__load__.bro
index 807bf0fcb2..d364e8c587 100644
--- a/scripts/policy/frameworks/intel/seen/__load__.bro
+++ b/scripts/policy/frameworks/intel/seen/__load__.bro
@@ -4,6 +4,7 @@
 @load ./file-names
 @load ./http-headers
 @load ./http-url
+@load ./pubkey-hashes
 @load ./ssl
 @load ./smtp
 @load ./smtp-url-extraction
diff --git a/scripts/policy/frameworks/software/windows-version-detection.bro b/scripts/policy/frameworks/software/windows-version-detection.bro
index 7ed1ab359e..50177b2e9b 100644
--- a/scripts/policy/frameworks/software/windows-version-detection.bro
+++ b/scripts/policy/frameworks/software/windows-version-detection.bro
@@ -48,6 +48,7 @@ export {
                 ["Microsoft-CryptoAPI/6.2"]             = [$name="Windows", $version=[$major=6, $minor=2, $addl="8 or Server 2012"]],
                 ["Microsoft-CryptoAPI/6.3"]             = [$name="Windows", $version=[$major=6, $minor=3, $addl="8.1 or Server 2012 R2"]],
                 ["Microsoft-CryptoAPI/6.4"]             = [$name="Windows", $version=[$major=6, $minor=4, $addl="10 Technical Preview"]],
+                ["Microsoft-CryptoAPI/10.0"]            = [$name="Windows", $version=[$major=10, $minor=0]],
         } &redef;
 }
 
diff --git a/scripts/policy/misc/stats.bro b/scripts/policy/misc/stats.bro
index 4dee0d4128..c307ece849 100644
--- a/scripts/policy/misc/stats.bro
+++ b/scripts/policy/misc/stats.bro
@@ -74,7 +74,7 @@ export {
 		reassem_file_size: count &log;
 		## Current size of packet fragment data in reassembly.
 		reassem_frag_size: count &log;
-		## Current size of unkown data in reassembly (this is only PIA buffer right now).
+		## Current size of unknown data in reassembly (this is only PIA buffer right now).
 		reassem_unknown_size: count &log;
 	};
 
diff --git a/scripts/policy/protocols/conn/vlan-logging.bro b/scripts/policy/protocols/conn/vlan-logging.bro
index e0692c5ab5..bf5400dae7 100644
--- a/scripts/policy/protocols/conn/vlan-logging.bro
+++ b/scripts/policy/protocols/conn/vlan-logging.bro
@@ -1,4 +1,4 @@
-##! This script add VLAN information to the connection logs
+##! This script adds VLAN information to the connection log.
 
 @load base/protocols/conn
 
diff --git a/scripts/policy/protocols/krb/ticket-logging.bro b/scripts/policy/protocols/krb/ticket-logging.bro
new file mode 100644
index 0000000000..22fd3c810b
--- /dev/null
+++ b/scripts/policy/protocols/krb/ticket-logging.bro
@@ -0,0 +1,33 @@
+##! Add Kerberos ticket hashes to the krb.log
+
+@load base/protocols/krb
+
+module KRB;
+
+redef record Info += {
+	## Hash of ticket used to authorize request/transaction
+	auth_ticket: string &log &optional;
+	## Hash of ticket returned by the KDC
+	new_ticket:  string &log &optional;
+};
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)
+	{
+	# Will be overwritten when request is a TGS
+	c$krb$request_type = "AP";
+
+	if ( ticket?$ciphertext )
+		c$krb$auth_ticket = md5_hash(ticket$ciphertext);
+	}
+
+event krb_as_response(c: connection, msg: KDC_Response)
+	{
+	if ( msg$ticket?$ciphertext )
+		c$krb$new_ticket = md5_hash(msg$ticket$ciphertext);
+	}
+
+event krb_tgs_response(c: connection, msg: KDC_Response)
+	{
+	if ( msg$ticket?$ciphertext )
+		c$krb$new_ticket = md5_hash(msg$ticket$ciphertext);
+	}
diff --git a/scripts/policy/protocols/smb/main.bro b/scripts/policy/protocols/smb/main.bro
index 0399e92a9a..f94db17f38 100644
--- a/scripts/policy/protocols/smb/main.bro
+++ b/scripts/policy/protocols/smb/main.bro
@@ -28,11 +28,6 @@ export {
 		PRINT_WRITE,
 		PRINT_OPEN,
 		PRINT_CLOSE,
-
-		UNKNOWN_READ,
-		UNKNOWN_WRITE,
-		UNKNOWN_OPEN,
-		UNKNOWN_CLOSE,
 	};
 
 	## The file actions which are logged.
@@ -43,8 +38,6 @@ export {
 
 		PRINT_OPEN,
 		PRINT_CLOSE,
-
-		UNKNOWN_OPEN,
 	} &redef;
 
 	## The server response statuses which are *not* logged.
@@ -71,7 +64,7 @@ export {
 		name			: string  &log &optional;
 		## Total size of the file.
 		size			: count   &log &default=0;
-		## If the rename action was seen, this will 
+		## If the rename action was seen, this will be
 		## the file's previous name.
 		prev_name		: string  &log &optional;
 		## Last time this file was modified.
@@ -89,7 +82,7 @@ export {
 
 		## Name of the tree path.
 		path                : string &log &optional;
-		## The type of resource of the tree (disk share, printer share, named pipe, etc.)
+		## The type of resource of the tree (disk share, printer share, named pipe, etc.).
 		service             : string &log &optional;
 		## File system of the tree.
 		native_file_system  : string &log &optional;
@@ -100,34 +93,34 @@ export {
 
 	## This record is for the smb_cmd.log
 	type CmdInfo: record {
-		## Timestamp of the command request
+		## Timestamp of the command request.
 		ts				: time &log;
-		## Unique ID of the connection the request was sent over
+		## Unique ID of the connection the request was sent over.
 		uid				: string &log;
-		## ID of the connection the request was sent over
+		## ID of the connection the request was sent over.
 		id				: conn_id &log;
 		
-		## The command sent by the client
+		## The command sent by the client.
 		command			: string &log;
-		## The subcommand sent by the client, if present
+		## The subcommand sent by the client, if present.
 		sub_command		: string &log &optional;
-		## Command argument sent by the client, if any
+		## Command argument sent by the client, if any.
 		argument		: string &log &optional;
 		
-		## Server reply to the client's command
+		## Server reply to the client's command.
 		status			: string &log &optional;
 		## Round trip time from the request to the response.
 		rtt				: interval &log &optional;
-		## Version of SMB for the command
+		## Version of SMB for the command.
 		version			: string &log;
 
-		## Authenticated username, if available
+		## Authenticated username, if available.
 		username		: string &log &optional;
 		
 		## If this is related to a tree, this is the tree
 		## that was used for the current command.
 		tree			: string &log &optional;
-		## The type of tree (disk share, printer share, named pipe, etc.)
+		## The type of tree (disk share, printer share, named pipe, etc.).
 		tree_service	: string &log &optional;
 		
 		## If the command referenced a file, store it here.
@@ -173,8 +166,8 @@ export {
 		smb_state : State &optional;
 	};
 	
-	## Internal use only
-	## Some commands shouldn't be logged by the smb1_message event
+	## Internal use only.
+	## Some commands shouldn't be logged by the smb1_message event.
 	const deferred_logging_cmds: set[string] = {
 		"NEGOTIATE",
 		"READ_ANDX",
@@ -193,7 +186,7 @@ redef record FileInfo += {
 	## ID referencing this file.
 	fid  : count   &optional;
 
-	## UUID referencing this file if DCE/RPC
+	## UUID referencing this file if DCE/RPC.
 	uuid : string &optional;
 };
 
@@ -202,9 +195,9 @@ redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
-	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo]);
-	Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo]);
-	Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo]);
+	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
+	Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files"]);
+	Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping"]);
 
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, ports);
 	}
@@ -225,7 +218,6 @@ function write_file_log(state: State)
 	{
 	local f = state$current_file;
 	if ( f?$name && 
-	     f$name !in pipe_names &&
 	     f$action in logged_file_actions )
 		{
 		# Everything in this if statement is to avoid overlogging
@@ -252,6 +244,12 @@ function write_file_log(state: State)
 		}
 	}
 
+event smb_pipe_connect_heuristic(c: connection) &priority=5
+	{
+	c$smb_state$current_tree$path = "<unknown>";
+	c$smb_state$current_tree$share_type = "PIPE";
+	}
+
 event file_state_remove(f: fa_file) &priority=-5
 	{
 	if ( f$source != "SMB" )
@@ -266,4 +264,4 @@ event file_state_remove(f: fa_file) &priority=-5
 			}
 		return;
 		}
-	}
\ No newline at end of file
+	}
diff --git a/scripts/policy/protocols/smb/smb1-main.bro b/scripts/policy/protocols/smb/smb1-main.bro
index c1b8ead509..853d83b01f 100644
--- a/scripts/policy/protocols/smb/smb1-main.bro
+++ b/scripts/policy/protocols/smb/smb1-main.bro
@@ -3,7 +3,7 @@
 module SMB1;
 
 redef record SMB::CmdInfo += {
-	## Dialects offered by the client	
+	## Dialects offered by the client.
 	smb1_offered_dialects: string_vec &optional;
 };
 
@@ -108,11 +108,6 @@ event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1::
 	
 event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse) &priority=-5
 	{
-	if ( SMB::write_cmd_log &&
-	     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
-		{
-		Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-		}
 	}
 	
 event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, service: string) &priority=5
@@ -141,12 +136,6 @@ event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service:
 event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service: string, native_file_system: string) &priority=-5
 	{
 	Log::write(SMB::MAPPING_LOG, c$smb_state$current_tree);
-
-	if ( SMB::write_cmd_log &&
-	     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
-		{
-		Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-		}
 	}
 
 event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string) &priority=5
@@ -192,17 +181,7 @@ event smb1_read_andx_request(c: connection, hdr: SMB1::Header, file_id: count, o
 	if ( c$smb_state$current_tree?$path && !c$smb_state$current_file?$path )
 		c$smb_state$current_file$path = c$smb_state$current_tree$path;
 
-	# We don't even try to log reads and writes to the files log.
-	#write_file_log(c$smb_state);
-	}
-	
-event smb1_read_andx_response(c: connection, hdr: SMB1::Header, data_len: count) &priority=5
-	{
-	if ( SMB::write_cmd_log && 
-	     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
-		{
-		Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-		}
+	SMB::write_file_log(c$smb_state);
 	}
 
 event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count) &priority=5
@@ -281,11 +260,7 @@ event smb1_session_setup_andx_request(c: connection, hdr: SMB1::Header, request:
 
 event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse) &priority=-5
 	{
-	if ( SMB::write_cmd_log &&
-	     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
-		{
-		Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-		}
+	# No behavior yet.
 	}
 	
 event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count)
diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/policy/protocols/smb/smb2-main.bro
index 31b3abf0db..1dc3a10654 100644
--- a/scripts/policy/protocols/smb/smb2-main.bro
+++ b/scripts/policy/protocols/smb/smb2-main.bro
@@ -3,7 +3,7 @@
 module SMB2;
 
 redef record SMB::CmdInfo += {
-	## Dialects offered by the client	
+	## Dialects offered by the client.
 	smb2_offered_dialects: index_vec &optional;
 };
 
@@ -101,13 +101,9 @@ event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2::
 
 event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse) &priority=5
 	{
-	if ( SMB::write_cmd_log &&
-	     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses )
-		{
-		Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-		}
+	# No behavior yet.
 	}
-	
+
 event smb2_tree_connect_request(c: connection, hdr: SMB2::Header, path: string) &priority=5
 	{
 	c$smb_state$current_tree$path = path;
@@ -123,6 +119,16 @@ event smb2_tree_connect_response(c: connection, hdr: SMB2::Header, response: SMB
 	Log::write(SMB::MAPPING_LOG, c$smb_state$current_tree);
 	}
 
+event smb2_tree_disconnect_request(c: connection, hdr: SMB2::Header) &priority=5
+	{
+	if ( hdr$tree_id in c$smb_state$tid_map )
+		{
+		delete c$smb_state$tid_map[hdr$tree_id];
+		delete c$smb_state$current_tree;
+		delete c$smb_state$current_cmd$referenced_tree;
+		}
+	}
+
 event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &priority=5
 	{
 	if ( name == "")
@@ -142,7 +148,6 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &prior
 			c$smb_state$current_file$action = SMB::PRINT_OPEN;
 			break;
 		default:
-			#c$smb_state$current_file$action = SMB::UNKNOWN_OPEN;
 			c$smb_state$current_file$action = SMB::FILE_OPEN;
 			break;
 		}
@@ -150,6 +155,8 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &prior
 
 event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5
 	{
+	SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);
+
 	c$smb_state$current_file$fid = file_id$persistent+file_id$volatile;
 	c$smb_state$current_file$size = file_size;
 
@@ -188,13 +195,14 @@ event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, o
 			c$smb_state$current_file$action = SMB::PRINT_READ;
 			break;
 		default:
-			c$smb_state$current_file$action = SMB::FILE_OPEN;
+			c$smb_state$current_file$action = SMB::FILE_READ;
 			break;
 		}
 	}
 
 event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=-5
 	{ 
+	SMB::write_file_log(c$smb_state);
 	}
 
 event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=5
@@ -213,7 +221,6 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID,
 			c$smb_state$current_file$action = SMB::PRINT_WRITE;
 			break;
 		default:
-			#c$smb_state$current_file$action = SMB::UNKNOWN_WRITE;
 			c$smb_state$current_file$action = SMB::FILE_WRITE;
 			break;
 		}
@@ -221,6 +228,7 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID,
 
 event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=-5
 	{
+	SMB::write_file_log(c$smb_state);
 	}
 
 event smb2_file_rename(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string) &priority=5
@@ -254,7 +262,9 @@ event smb2_file_delete(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, de
 
 	if ( ! delete_pending )
 		{
-		print "huh...";
+		# This is weird beause it would mean that someone didn't
+		# set the delete bit in a delete request.
+		return;
 		}
 
 	switch ( c$smb_state$current_tree$share_type )
@@ -289,7 +299,6 @@ event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID)
 			c$smb_state$current_file$action = SMB::PRINT_CLOSE;
 			break;
 		default:
-			#c$smb_state$current_file$action = SMB::UNKNOWN_CLOSE;
 			c$smb_state$current_file$action = SMB::FILE_CLOSE;
 			break;
 		}
diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index 77a5e9832a..783961bef2 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -13,7 +13,7 @@ export {
 		SSL_Heartbeat_Attack_Success,
 		## Indicates we saw heartbeat requests with odd length. Probably an attack or scan.
 		SSL_Heartbeat_Odd_Length,
-		## Indicates we saw many heartbeat requests without an reply. Might be an attack.
+		## Indicates we saw many heartbeat requests without a reply. Might be an attack.
 		SSL_Heartbeat_Many_Requests
 	};
 }
diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
index f537616e7f..7f07c2b069 100644
--- a/scripts/policy/protocols/ssl/log-hostcerts-only.bro
+++ b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
@@ -8,7 +8,7 @@ module X509;
 
 export {
 	redef record Info += {
-	# Logging is suppressed if field is set to F
+		## Logging of certificate is suppressed if set to F
 		logcert: bool &default=T;
 	};
 }
@@ -39,14 +39,29 @@ event bro_init() &priority=2
 	Log::add_filter(X509::LOG, f);
 	}
 
-event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=2
+event file_sniff(f: fa_file, meta: fa_metadata) &priority=4
 	{
-	if ( ! c?$ssl )
+	if ( |f$conns| != 1 )
 		return;
 
+	if ( ! f?$info || ! f$info?$mime_type )
+		return;
+
+	if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert"
+		 || f$info$mime_type == "application/pkix-cert" ) )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
 	local chain: vector of string;
 
-	if ( is_orig )
+	if ( f$is_orig )
 		chain = c$ssl$client_cert_chain_fuids;
 	else
 		chain = c$ssl$cert_chain_fuids;
diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index 97072e4cab..352ff4e863 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -19,12 +19,17 @@ export {
 	redef record Info += {
 		## Result of certificate validation for this connection.
 		validation_status: string &log &optional;
+		## Result of certificate validation for this connection, given
+		## as OpenSSL validation code.
+		validation_code: int &optional;
+		## Ordered chain of validated certificate, if validation succeeded.
+		valid_chain: vector of opaque of x509 &optional;
 	};
 
-	## MD5 hash values for recently validated chains along with the
+	## Result values for recently validated chains along with the
 	## validation status are kept in this table to avoid constant
 	## validation every time the same certificate chain is seen.
-	global recently_validated_certs: table[string] of string = table()
+	global recently_validated_certs: table[string] of X509::Result = table()
 		&read_expire=5mins &redef;
 
 	## Use intermediate CA certificate caching when trying to validate
@@ -39,6 +44,11 @@ export {
 	## that you encounter. Only disable if you want to find misconfigured servers.
 	global ssl_cache_intermediate_ca: bool = T &redef;
 
+	## Store the valid chain in c$ssl$valid_chain if validation succeeds.
+	## This has a potentially high memory impact, depending on the local environment
+	## and is thus disabled by default.
+	global ssl_store_valid_chain: bool = F &redef;
+
 	## Event from a worker to the manager that it has encountered a new
 	## valid intermediate.
 	global intermediate_add: event(key: string, value: vector of opaque of x509);
@@ -83,7 +93,7 @@ event SSL::new_intermediate(key: string, value: vector of opaque of x509)
 	}
 @endif
 
-function cache_validate(chain: vector of opaque of x509): string
+function cache_validate(chain: vector of opaque of x509): X509::Result
 	{
 	local chain_hash: vector of string = vector();
 
@@ -97,7 +107,10 @@ function cache_validate(chain: vector of opaque of x509): string
 		return recently_validated_certs[chain_id];
 
 	local result = x509_verify(chain, root_certs);
-	recently_validated_certs[chain_id] = result$result_string;
+	if ( ! ssl_store_valid_chain && result?$chain_certs )
+		recently_validated_certs[chain_id] = X509::Result($result=result$result, $result_string=result$result_string);
+	else
+		recently_validated_certs[chain_id] = result;
 
 	# if we have a working chain where we did not store the intermediate certs
 	# in our cache yet - do so
@@ -107,8 +120,8 @@ function cache_validate(chain: vector of opaque of x509): string
 		   |result$chain_certs| > 2 )
 		{
 		local result_chain = result$chain_certs;
-		local icert = x509_parse(result_chain[1]);
-		if ( icert$subject !in intermediate_cache )
+		local isnh = x509_subject_name_hash(result_chain[1], 4); # SHA256
+		if ( isnh !in intermediate_cache )
 			{
 			local cachechain: vector of opaque of x509;
 			for ( i in result_chain )
@@ -116,14 +129,14 @@ function cache_validate(chain: vector of opaque of x509): string
 				if ( i >=1 && i<=|result_chain|-2 )
 					cachechain[i-1] = result_chain[i];
 				}
-			add_to_cache(icert$subject, cachechain);
+			add_to_cache(isnh, cachechain);
 			}
 		}
 
-	return result$result_string;
+	return result;
 	}
 
-event ssl_established(c: connection) &priority=3
+hook ssl_finishing(c: connection) &priority=20
 	{
 	# If there aren't any certs we can't very well do certificate validation.
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
@@ -131,23 +144,26 @@ event ssl_established(c: connection) &priority=3
 		return;
 
 	local intermediate_chain: vector of opaque of x509 = vector();
-	local issuer = c$ssl$cert_chain[0]$x509$certificate$issuer;
+	local issuer_name_hash = x509_issuer_name_hash(c$ssl$cert_chain[0]$x509$handle, 4); # SHA256
 	local hash = c$ssl$cert_chain[0]$sha1;
-	local result: string;
+	local result: X509::Result;
 
 	# Look if we already have a working chain for the issuer of this cert.
 	# If yes, try this chain first instead of using the chain supplied from
 	# the server.
-	if ( ssl_cache_intermediate_ca && issuer in intermediate_cache )
+	if ( ssl_cache_intermediate_ca && issuer_name_hash in intermediate_cache )
 		{
 		intermediate_chain[0] = c$ssl$cert_chain[0]$x509$handle;
-		for ( i in intermediate_cache[issuer] )
-			intermediate_chain[i+1] = intermediate_cache[issuer][i];
+		for ( i in intermediate_cache[issuer_name_hash] )
+			intermediate_chain[i+1] = intermediate_cache[issuer_name_hash][i];
 
 		result = cache_validate(intermediate_chain);
-		if ( result == "ok" )
+		if ( result$result_string == "ok" )
 			{
-			c$ssl$validation_status = result;
+			c$ssl$validation_status = result$result_string;
+			c$ssl$validation_code = result$result;
+			if ( result?$chain_certs )
+				c$ssl$valid_chain = result$chain_certs;
 			return;
 			}
 		}
@@ -163,13 +179,16 @@ event ssl_established(c: connection) &priority=3
 		}
 
 	result = cache_validate(chain);
-	c$ssl$validation_status = result;
+	c$ssl$validation_status = result$result_string;
+	c$ssl$validation_code = result$result;
+	if ( result?$chain_certs )
+		c$ssl$valid_chain = result$chain_certs;
 
-	if ( result != "ok" )
+	if ( result$result_string != "ok" )
 		{
 		local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
 		NOTICE([$note=Invalid_Server_Cert, $msg=message,
-		        $sub=c$ssl$subject, $conn=c,
-		        $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_status)]);
+		        $sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c,
+		        $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_code)]);
 		}
 	}
diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro
index 3beabbe59c..7cb8be9f0e 100644
--- a/scripts/policy/protocols/ssl/validate-ocsp.bro
+++ b/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -1,4 +1,9 @@
-##! Perform OCSP response validation.
+##! Perform validation of stapled OCSP responses.
+#!
+#! Note: this _only_ performs validation of stapled OCSP responsed. It does
+#! not validate OCSP responses that are retrieved via HTTP, because we do not
+#! have a mapping to certificates.
+
 
 @load base/frameworks/notice
 @load base/protocols/ssl
@@ -15,7 +20,6 @@ export {
 	redef record Info += {
 		## Result of ocsp validation for this connection.
 		ocsp_status: string &log &optional;
-
 		## ocsp response as string.
 		ocsp_response: string &optional;
 	};
diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro
new file mode 100644
index 0000000000..a89a5e5b19
--- /dev/null
+++ b/scripts/policy/protocols/ssl/validate-sct.bro
@@ -0,0 +1,210 @@
+##! Perform validation of Signed Certificate Timestamps, as used
+##! for Certificate Transparency. See RFC6962 for more details.
+
+@load base/protocols/ssl
+@load protocols/ssl/validate-certs
+
+# We need to know issuer certificates to be able to determine the IssuerKeyHash,
+# which is required for validating certificate extensions.
+redef SSL::ssl_store_valid_chain = T;
+
+module SSL;
+
+export {
+
+	## List of the different sources for Signed Certificate Timestamp
+	type SctSource: enum {
+		## Signed Certificate Timestamp was encountered in the extension of
+		## an X.509 certificate.
+		SCT_X509_EXT,
+		## Signed Certificate Timestamp was encountered in an TLS session
+		## extension.
+		SCT_TLS_EXT,
+		## Signed Certificate Timestamp was encountered in the extension of
+		## an stapled OCSP reply.
+		SCT_OCSP_EXT
+	};
+
+	## This record is used to store information about the SCTs that are
+	## encountered in a SSL connection.
+	type SctInfo: record {
+		## The version of the encountered SCT (should always be 0 for v1).
+		version: count;
+		## The ID of the log issuing this SCT.
+		logid: string;
+		## The timestamp at which this SCT was issued measured since the
+		## epoch (January 1, 1970, 00:00), ignoring leap seconds, in
+		## milliseconds. Not converted to a Bro timestamp because we need
+		## the exact value for validation.
+		timestamp: count;
+		## The signature algorithm used for this sct.
+		sig_alg: count;
+		## The hash algorithm used for this sct.
+		hash_alg: count;
+		## The signature of this SCT.
+		signature: string;
+		## Source of this SCT.
+		source: SctSource;
+		## Validation result of this SCT.
+		valid: bool &optional;
+	};
+
+	redef record Info += {
+		## Number of valid SCTs that were encountered in the connection.
+		valid_scts: count &optional;
+		## Number of SCTs that could not be validated that were encountered in the connection.
+		invalid_scts: count &optional;
+		## Number of different Logs for which valid SCTs were encountered in the connection.
+		valid_ct_logs: count &log &optional;
+		## Number of different Log operators of which valid SCTs were encountered in the connection.
+		valid_ct_operators: count &log &optional;
+		## List of operators for which valid SCTs were encountered in the connection.
+		valid_ct_operators_list: set[string] &optional;
+		## Information about all SCTs that were encountered in the connection.
+		ct_proofs: vector of SctInfo &default=vector();
+	};
+}
+
+# Used to cache validations for 5 minutes to lessen computational load.
+global recently_validated_scts: table[string] of bool = table()
+	&read_expire=5mins &redef;
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5
+	{
+	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature, $source=SCT_TLS_EXT);
+	}
+
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) &priority=5
+	{
+	local src: SctSource;
+	if ( ! f?$info )
+		return;
+
+	if ( f$source == "SSL" && f$info$mime_type == "application/ocsp-response" )
+		src = SCT_OCSP_EXT;
+	else if ( f$source == "SSL" && f$info$mime_type == "application/x-x509-user-cert" )
+		src = SCT_X509_EXT;
+	else
+		return;
+
+	if ( |f$conns| != 1 )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
+	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src);
+	}
+
+# Priority = 19 will be handled after validation is done
+hook ssl_finishing(c: connection) &priority=19
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+	local certhash = c$ssl$cert_chain[0]$sha1;
+	local issuer_name_hash = x509_issuer_name_hash(cert, 4);
+	local valid_proofs = 0;
+	local invalid_proofs = 0;
+	c$ssl$valid_ct_operators_list = string_set();
+	local valid_logs = string_set();
+	local issuer_key_hash = "";
+
+	for ( i in c$ssl$ct_proofs )
+		{
+		local proof = c$ssl$ct_proofs[i];
+		if ( proof$logid !in SSL::ct_logs )
+			{
+			# Well, if we don't know the log, there is nothing to do here...
+			proof$valid = F;
+			next;
+			}
+		local log = SSL::ct_logs[proof$logid];
+
+		local valid = F;
+		local found_cache = F;
+
+		local validatestring = cat(certhash,proof$logid,proof$timestamp,proof$hash_alg,proof$signature,proof$source);
+		if ( proof$source == SCT_X509_EXT && c$ssl?$validation_code )
+			validatestring = cat(validatestring, c$ssl$validation_code);
+		local validate_hash = sha1_hash(validatestring);
+		if ( validate_hash in recently_validated_scts )
+			{
+			valid = recently_validated_scts[validate_hash];
+			found_cache = T;
+			}
+
+		if ( found_cache == F && ( proof$source == SCT_TLS_EXT || proof$source == SCT_OCSP_EXT ) )
+			{
+			valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg);
+			}
+		else if ( found_cache == F )
+			{
+			# X.509 proof. Here things get awkward because we need information about
+			# the issuer cert... and we need to try a few times, because we have to see if we got
+			# the right issuer cert.
+			#
+			# First - Let's try if a previous round already established the correct issuer key hash.
+			if ( issuer_key_hash != "" )
+				{
+				valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+				}
+
+			# Second - let's see if we might already know the issuer cert through verification.
+			if ( ! valid && issuer_name_hash in intermediate_cache )
+				{
+				issuer_key_hash = x509_spki_hash(intermediate_cache[issuer_name_hash][0], 4);
+				valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+				}
+			if ( ! valid && c$ssl?$valid_chain && |c$ssl$valid_chain| >= 2 )
+				{
+				issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4);
+				valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+				}
+
+			# ok, if it still did not work - let's just try with all the certs that were sent
+			# in the connection. Perhaps it will work with one of them.
+			if ( !valid )
+				for ( i in c$ssl$cert_chain )
+					{
+					if ( i == 0 ) # end-host-cert
+						next;
+
+					issuer_key_hash = x509_spki_hash(c$ssl$cert_chain[i]$x509$handle, 4);
+					valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+					if ( valid )
+						break;
+					}
+			}
+
+		if ( ! found_cache )
+			recently_validated_scts[validate_hash] = valid;
+
+		proof$valid = valid;
+
+		if ( valid )
+			{
+			++valid_proofs;
+			add c$ssl$valid_ct_operators_list[log$operator];
+			add valid_logs[proof$logid];
+			}
+		else
+			++invalid_proofs;
+		}
+
+	c$ssl$valid_scts = valid_proofs;
+	c$ssl$invalid_scts = invalid_proofs;
+	c$ssl$valid_ct_operators = |c$ssl$valid_ct_operators_list|;
+	c$ssl$valid_ct_logs = |valid_logs|;
+	}
diff --git a/scripts/site/local-logger.bro b/scripts/site/local-logger.bro
new file mode 100644
index 0000000000..0642e86ce3
--- /dev/null
+++ b/scripts/site/local-logger.bro
@@ -0,0 +1 @@
+##! Local site policy loaded only by the logger if Bro is running as a cluster.
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 8d1a9ff054..7c828241d0 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -34,6 +34,7 @@
 @load frameworks/files/entropy-test-all-files.bro
 #@load frameworks/files/extract-all-files.bro
 @load frameworks/files/hash-all-files.bro
+@load files/x509/log-ocsp.bro
 @load frameworks/packet-filter/shunt.bro
 @load frameworks/software/version-changes.bro
 @load frameworks/software/vulnerable.bro
@@ -72,6 +73,7 @@
 @load protocols/http/software.bro
 @load protocols/http/var-extraction-cookies.bro
 @load protocols/http/var-extraction-uri.bro
+@load protocols/krb/ticket-logging.bro
 @load protocols/modbus/known-masters-slaves.bro
 @load protocols/modbus/track-memmap.bro
 @load protocols/mysql/software.bro
@@ -97,6 +99,7 @@
 #@load protocols/ssl/notary.bro
 @load protocols/ssl/validate-certs.bro
 @load protocols/ssl/validate-ocsp.bro
+@load protocols/ssl/validate-sct.bro
 @load protocols/ssl/weak-keys.bro
 @load tuning/__load__.bro
 @load tuning/defaults/__load__.bro
diff --git a/src/3rdparty b/src/3rdparty
index a59b3ad696..1dc8599df2 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit a59b3ad696c389611c327dc1af1909682c5396f6
+Subproject commit 1dc8599df24112504aac5e1256b478eec5054848
diff --git a/src/Frame.cc b/src/Frame.cc
index e97b948dbe..f30312aaec 100644
--- a/src/Frame.cc
+++ b/src/Frame.cc
@@ -33,6 +33,15 @@ Frame::~Frame()
 	Release();
 	}
 
+void Frame::Reset(int startIdx)
+	{
+	for ( int i = startIdx; i < size; ++i )
+		{
+		Unref(frame[i]);
+		frame[i] = 0;
+		}
+	}
+
 void Frame::Release()
 	{
 	for ( int i = 0; i < size; ++i )
diff --git a/src/Frame.h b/src/Frame.h
index 85e1dbec2e..0c22fa0e4e 100644
--- a/src/Frame.h
+++ b/src/Frame.h
@@ -24,6 +24,7 @@ public:
 		frame[n] = v;
 		}
 
+	void Reset(int startIdx);
 	void Release();
 
 	void Describe(ODesc* d) const;
diff --git a/src/Func.cc b/src/Func.cc
index ccb2570f70..88da9a7a04 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -397,6 +397,7 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 				bodies[i].stmts->GetLocationInfo());
 
 		Unref(result);
+		f->Reset(args->length());
 
 		try
 			{
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 4842f819b6..7d8899d8b9 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -2730,10 +2730,10 @@ bool RemoteSerializer::ProcessLogCreateWriter()
 	id_val = new EnumVal(id, internal_type("Log::ID")->AsEnumType());
 	writer_val = new EnumVal(writer, internal_type("Log::Writer")->AsEnumType());
 
-	if ( ! log_mgr->CreateWriter(id_val, writer_val, info, num_fields, fields,
-	                             true, false, true) )
+	if ( ! log_mgr->CreateWriterForRemoteLog(id_val, writer_val, info, num_fields, fields) )
 		{
-		delete_fields_up_to = num_fields;
+		info = 0;
+		fields = 0;
 		goto error;
 		}
 
@@ -2803,7 +2803,7 @@ bool RemoteSerializer::ProcessLogWrite()
 		id_val = new EnumVal(id, internal_type("Log::ID")->AsEnumType());
 		writer_val = new EnumVal(writer, internal_type("Log::Writer")->AsEnumType());
 
-		success = log_mgr->Write(id_val, writer_val, path, num_fields, vals);
+		success = log_mgr->WriteFromRemote(id_val, writer_val, path, num_fields, vals);
 
 		Unref(id_val);
 		Unref(writer_val);
diff --git a/src/Reporter.h b/src/Reporter.h
index 19cdbb7e82..85b9a483a2 100644
--- a/src/Reporter.h
+++ b/src/Reporter.h
@@ -66,11 +66,11 @@ public:
 
 	// Report a runtime error in evaluating a Bro script expression. This
 	// function will not return but raise an InterpreterException.
-	void ExprRuntimeError(const Expr* expr, const char* fmt, ...);
+	void ExprRuntimeError(const Expr* expr, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
 
 	// Report a runtime error in evaluating a Bro script expression. This
 	// function will not return but raise an InterpreterException.
-	void RuntimeError(const Location* location, const char* fmt, ...);
+	void RuntimeError(const Location* location, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
 
 	// Report a traffic weirdness, i.e., an unexpected protocol situation
 	// that may lead to incorrectly processing a connnection.
@@ -123,7 +123,7 @@ public:
 private:
 	void DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		   Connection* conn, val_list* addl, bool location, bool time,
-		   const char* postfix, const char* fmt, va_list ap);
+		   const char* postfix, const char* fmt, va_list ap) __attribute__((format(printf, 10, 0)));
 
 	// The order if addl, name needs to be like that since fmt_name can
 	// contain format specifiers
diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc
index 40ef5f0ad1..9df70f118b 100644
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@@ -89,6 +89,10 @@ bool RuleConditionPayloadSize::DoMatch(Rule* rule, RuleEndpointState* state,
 		// on the pure rules now.
 		return false;
 
+	if ( state->PayloadSize() == 0 )
+		// We are interested in the first non-empty chunk.
+		return false;
+
 	uint32 payload_size = uint32(state->PayloadSize());
 
 	switch ( comp ) {
diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index c88bb77a4f..3ee7306fb5 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -144,7 +144,7 @@ bool RuleHdrTest::operator==(const RuleHdrTest& h)
 void RuleHdrTest::PrintDebug()
 	{
 	static const char* str_comp[] = { "<=", ">=", "<", ">", "==", "!=" };
-	static const char* str_prot[] = { "", "ip", "icmp", "tcp", "udp" };
+	static const char* str_prot[] = { "", "ip", "ipv6", "icmp", "icmpv6", "tcp", "udp", "next", "ipsrc", "ipdst" };
 
 	fprintf(stderr, "	RuleHdrTest %s[%d:%d] %s",
 			str_prot[prot], offset, size, str_comp[comp]);
@@ -1095,10 +1095,10 @@ void RuleMatcher::ExecRule(Rule* rule, RuleEndpointState* state, bool eos)
 
 void RuleMatcher::ClearEndpointState(RuleEndpointState* state)
 	{
-	state->payload_size = -1;
-
 	ExecPureRules(state, 1);
 
+	state->payload_size = -1;
+
 	loop_over_list(state->matchers, j)
 		state->matchers[j]->state->Clear();
 	}
diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h
index b16a1556f9..23b7e6d731 100644
--- a/src/RuleMatcher.h
+++ b/src/RuleMatcher.h
@@ -72,6 +72,7 @@ extern uint32 id_to_uint(const char* id);
 
 class RuleHdrTest {
 public:
+	// Note: Adapt RuleHdrTest::PrintDebug() when changing these enums.
 	enum Comp { LE, GE, LT, GT, EQ, NE };
 	enum Prot { NOPROT, IP, IPv6, ICMP, ICMPv6, TCP, UDP, NEXT, IPSrc, IPDst };
 
diff --git a/src/SerialTypes.h b/src/SerialTypes.h
index cf2c52a08b..8a1a2abf51 100644
--- a/src/SerialTypes.h
+++ b/src/SerialTypes.h
@@ -115,6 +115,7 @@ SERIAL_VAL(CARDINALITY_VAL, 22)
 SERIAL_VAL(X509_VAL, 23)
 SERIAL_VAL(COMM_STORE_HANDLE_VAL, 24)
 SERIAL_VAL(COMM_DATA_VAL, 25)
+SERIAL_VAL(OCSP_RESP_VAL, 26)
 
 #define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR)
 SERIAL_EXPR(EXPR, 1)
diff --git a/src/Sessions.cc b/src/Sessions.cc
index b60ab52ce6..e0a47780dd 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -431,7 +431,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		return;
 		}
 #endif
-
 	int proto = ip_hdr->NextProto();
 
 	if ( CheckHeaderTrunc(proto, len, caplen, pkt, encapsulation) )
@@ -510,6 +509,11 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		uint16 proto_typ = ntohs(*((uint16*)(data + 2)));
 		int gre_version = flags_ver & 0x0007;
 
+		// If a carried packet has ethernet, this will help skip it.
+		unsigned int eth_len = 0;
+		unsigned int gre_len = gre_header_len(flags_ver);
+		unsigned int ppp_len = gre_version == 1 ? 1 : 0;
+
 		if ( gre_version != 0 && gre_version != 1 )
 			{
 			Weird(fmt("unknown_gre_version_%d", gre_version), ip_hdr,
@@ -519,7 +523,18 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 
 		if ( gre_version == 0 )
 			{
-			if ( proto_typ != 0x0800 && proto_typ != 0x86dd )
+			if ( proto_typ == 0x6558 && len > gre_len + 14 )
+				{
+				// transparent ethernet bridging
+				eth_len = 14;
+				proto_typ = ntohs(*((uint16*)(data + gre_len + 12)));
+				}
+
+			if ( proto_typ == 0x0800 )
+				proto = IPPROTO_IPV4;
+			else if ( proto_typ == 0x86dd )
+				proto = IPPROTO_IPV6;
+			else
 				{
 				// Not IPv4/IPv6 payload.
 				Weird(fmt("unknown_gre_protocol_%" PRIu16, proto_typ), ip_hdr,
@@ -527,7 +542,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 				return;
 				}
 
-			proto = (proto_typ == 0x0800) ? IPPROTO_IPV4 : IPPROTO_IPV6;
 			}
 
 		else // gre_version == 1
@@ -556,10 +570,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 			return;
 			}
 
-		unsigned int gre_len = gre_header_len(flags_ver);
-		unsigned int ppp_len = gre_version == 1 ? 1 : 0;
-
-		if ( len < gre_len + ppp_len || caplen < gre_len + ppp_len )
+		if ( len < gre_len + ppp_len + eth_len || caplen < gre_len + ppp_len + eth_len )
 			{
 			Weird("truncated_GRE", ip_hdr, encapsulation);
 			return;
@@ -578,9 +589,9 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 			proto = (ppp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6;
 			}
 
-		data += gre_len + ppp_len;
-		len -= gre_len + ppp_len;
-		caplen -= gre_len + ppp_len;
+		data += gre_len + ppp_len + eth_len;
+		len -= gre_len + ppp_len + eth_len;
+		caplen -= gre_len + ppp_len + eth_len;
 
 		// Treat GRE tunnel like IP tunnels, fallthrough to logic below now
 		// that GRE header is stripped and only payload packet remains.
@@ -607,7 +618,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		// Check for a valid inner packet first.
 		IP_Hdr* inner = 0;
 		int result = ParseIPPacket(caplen, data, proto, inner);
-
 		if ( result < 0 )
 			Weird("truncated_inner_IP", ip_hdr, encapsulation);
 
@@ -761,7 +771,7 @@ void NetSessions::DoNextInnerPacket(double t, const Packet* pkt,
 	uint32 caplen, len;
 	caplen = len = inner->TotalLen();
 
-	struct timeval ts;
+	pkt_timeval ts;
 	int link_type;
 	Layer3Proto l3_proto;
 
@@ -794,6 +804,7 @@ void NetSessions::DoNextInnerPacket(double t, const Packet* pkt,
 	// Construct fake packet for DoNextPacket
 	Packet p;
 	p.Init(DLT_RAW, &ts, caplen, len, data, false, "");
+
 	DoNextPacket(t, &p, inner, outer);
 
 	delete inner;
@@ -1212,28 +1223,11 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
 	if ( ! WantConnection(src_h, dst_h, tproto, flags, flip) )
 		return 0;
 
-	ConnID flip_id = *id;
-
-	if ( flip )
-		{
-		// Make a guess that we're seeing the tail half of
-		// an analyzable connection.
-		const IPAddr ta = flip_id.src_addr;
-		flip_id.src_addr = flip_id.dst_addr;
-		flip_id.dst_addr = ta;
-
-		uint32 t = flip_id.src_port;
-		flip_id.src_port = flip_id.dst_port;
-		flip_id.dst_port = t;
-
-		id = &flip_id;
-		}
-
 	Connection* conn = new Connection(this, k, t, id, flow_label, pkt, encapsulation);
 	conn->SetTransport(tproto);
 
 	if ( flip )
-		conn->AddHistory('^');
+		conn->FlipRoles();
 
 	if ( ! analyzer_mgr->BuildInitialAnalyzerTree(conn) )
 		{
diff --git a/src/Type.h b/src/Type.h
index 5c8a05b3f6..ab52e10734 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -628,6 +628,7 @@ extern OpaqueType* cardinality_type;
 extern OpaqueType* topk_type;
 extern OpaqueType* bloomfilter_type;
 extern OpaqueType* x509_opaque_type;
+extern OpaqueType* ocsp_resp_opaque_type;
 
 // Returns the Bro basic (non-parameterized) type with the given type.
 // The reference count of the type is not increased.
diff --git a/src/analyzer/protocol/ayiya/AYIYA.cc b/src/analyzer/protocol/ayiya/AYIYA.cc
index a1e00e9b38..9c4ac237ab 100644
--- a/src/analyzer/protocol/ayiya/AYIYA.cc
+++ b/src/analyzer/protocol/ayiya/AYIYA.cc
@@ -1,7 +1,6 @@
 
 #include "AYIYA.h"
 #include "Func.h"
-#include "events.bif.h"
 
 using namespace analyzer::ayiya;
 
diff --git a/src/analyzer/protocol/ayiya/CMakeLists.txt b/src/analyzer/protocol/ayiya/CMakeLists.txt
index ae23c25e2d..50113b72d7 100644
--- a/src/analyzer/protocol/ayiya/CMakeLists.txt
+++ b/src/analyzer/protocol/ayiya/CMakeLists.txt
@@ -5,6 +5,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro AYIYA)
 bro_plugin_cc(AYIYA.cc Plugin.cc)
-bro_plugin_bif(events.bif)
 bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/ayiya/ayiya.pac b/src/analyzer/protocol/ayiya/ayiya.pac
index b1f3a6ef77..ff0af4d47c 100644
--- a/src/analyzer/protocol/ayiya/ayiya.pac
+++ b/src/analyzer/protocol/ayiya/ayiya.pac
@@ -2,10 +2,6 @@
 %include binpac.pac
 %include bro.pac
 
-%extern{
-#include "events.bif.h"
-%}
-
 analyzer AYIYA withcontext {
 	connection:	AYIYA_Conn;
 	flow:		AYIYA_Flow;
diff --git a/src/analyzer/protocol/dce-rpc/CMakeLists.txt b/src/analyzer/protocol/dce-rpc/CMakeLists.txt
index 79ec16ada6..959e6ac87c 100644
--- a/src/analyzer/protocol/dce-rpc/CMakeLists.txt
+++ b/src/analyzer/protocol/dce-rpc/CMakeLists.txt
@@ -5,9 +5,9 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro DCE_RPC)
 bro_plugin_cc(DCE_RPC.cc Plugin.cc)
-bro_plugin_bif(types.bif events.bif)
+bro_plugin_bif(consts.bif types.bif events.bif)
 bro_plugin_pac(
-    dce_rpc.pac 
+    dce_rpc.pac
     dce_rpc-protocol.pac
     dce_rpc-analyzer.pac
     dce_rpc-auth.pac
diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc
index e93a2541f7..f7a96fbb6e 100644
--- a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc
+++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc
@@ -16,6 +16,7 @@ using namespace analyzer::dce_rpc;
 DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection *conn)
 : tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn)
 	{
+	had_gap = false;
 	interp = new binpac::DCE_RPC::DCE_RPC_Conn(this);
 	}
 
@@ -41,6 +42,7 @@ void DCE_RPC_Analyzer::EndpointEOF(bool is_orig)
 void DCE_RPC_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	had_gap = true;
 	interp->NewGap(orig, len);
 	}
 
@@ -49,6 +51,12 @@ void DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 
 	assert(TCP());
+
+	if ( had_gap )
+		// If only one side had a content gap, we could still try to
+		// deliver data to the other side if the script layer can handle this.
+		return;
+
 	try
 		{
 		interp->NewData(orig, data, data + len);
diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.h b/src/analyzer/protocol/dce-rpc/DCE_RPC.h
index 714607f5e2..498e055e0a 100644
--- a/src/analyzer/protocol/dce-rpc/DCE_RPC.h
+++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.h
@@ -29,6 +29,7 @@ public:
 		{ return new DCE_RPC_Analyzer(conn); }
 
 protected:
+	bool had_gap;
 	binpac::DCE_RPC::DCE_RPC_Conn* interp;
 };
 
diff --git a/src/analyzer/protocol/dce-rpc/consts.bif b/src/analyzer/protocol/dce-rpc/consts.bif
new file mode 100644
index 0000000000..68b052d84b
--- /dev/null
+++ b/src/analyzer/protocol/dce-rpc/consts.bif
@@ -0,0 +1,2 @@
+const DCE_RPC::max_cmd_reassembly: count;
+const DCE_RPC::max_frag_data: count;
\ No newline at end of file
diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
index 5fe9380422..921b4ba51f 100644
--- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
@@ -37,7 +37,7 @@ type DCE_RPC_PDU(is_orig: bool) = record {
 	# Subtract an extra 8 when there is an auth section because we have some "auth header" fields in that structure.
 	body_length      : int  = header.frag_length - sizeof(header) - header.auth_length - (header.auth_length > 0 ? 8 : 0);
 	frag_reassembled : bool = $context.flow.reassemble_fragment(header, frag);
-	body             : DCE_RPC_Body(header) withinput $context.flow.reassembled_body(header, frag) &if(header.lastfrag);
+	body             : DCE_RPC_Body(header) withinput $context.flow.reassembled_body(header, frag) &if(frag_reassembled);
 } &byteorder = header.byteorder, &length = header.frag_length;
 
 type NDR_Format = record {
@@ -174,23 +174,74 @@ flow DCE_RPC_Flow(is_orig: bool) {
 	flowunit = DCE_RPC_PDU(is_orig) withcontext(connection, this);
 
 	%member{
-		std::map<uint32, FlowBuffer*> fb;
+		std::map<uint32, std::unique_ptr<FlowBuffer>> fb;
 	%}
 
 	# Fragment reassembly.
 	function reassemble_fragment(header: DCE_RPC_Header, frag: bytestring): bool
 		%{
-		if ( ${header.firstfrag} && !${header.lastfrag} &&
-		     fb.count(${header.call_id}) == 0 )
-			fb[${header.call_id}] = new FlowBuffer();
+		if ( ${header.firstfrag} )
+			{
+			if ( fb.count(${header.call_id}) > 0 )
+				{
+				// We already had a first frag earlier.
+				reporter->Weird(connection()->bro_analyzer()->Conn(),
+						"multiple_first_fragments_in_dce_rpc_reassembly");
+				connection()->bro_analyzer()->SetSkip(true);
+				return false;
+				}
 
-		if ( fb.count(${header.call_id}) == 0 )
+			if ( ${header.lastfrag} )
+				{
+				// all-in-one packet
+				return true;
+				}
+			else
+				{
+				// first frag, but not last so we start a flowbuffer
+				fb[${header.call_id}] = std::unique_ptr<FlowBuffer>(new FlowBuffer());
+				fb[${header.call_id}]->NewFrame(0, true);
+				fb[${header.call_id}]->BufferData(frag.begin(), frag.end());
+
+				if ( fb.size() > BifConst::DCE_RPC::max_cmd_reassembly )
+					{
+					reporter->Weird(connection()->bro_analyzer()->Conn(),
+					                "too_many_dce_rpc_msgs_in_reassembly");
+					connection()->bro_analyzer()->SetSkip(true);
+					}
+
+				if ( fb[${header.call_id}]->data_length() > (int)BifConst::DCE_RPC::max_frag_data )
+					{
+					reporter->Weird(connection()->bro_analyzer()->Conn(),
+					                "too_much_dce_rpc_fragment_data");
+					connection()->bro_analyzer()->SetSkip(true);
+					}
+
+				return false;
+				}
+			}
+		else if ( fb.count(${header.call_id}) > 0 )
+			{
+			// not the first frag, but we have a flow buffer so add to it
+			fb[${header.call_id}]->BufferData(frag.begin(), frag.end());
+
+			if ( fb[${header.call_id}]->data_length() > (int)BifConst::DCE_RPC::max_frag_data )
+				{
+				reporter->Weird(connection()->bro_analyzer()->Conn(),
+				                "too_much_dce_rpc_fragment_data");
+				connection()->bro_analyzer()->SetSkip(true);
+				}
+
+			return ${header.lastfrag};
+			}
+		else
+			{
+			// no flow buffer and not a first frag, ignore it.
 			return false;
+			}
 
-		auto frag_reassembler_ = fb[${header.call_id}];
-		frag_reassembler_->BufferData(frag.begin(), frag.end());
-
-		return (!${header.firstfrag} && ${header.lastfrag});
+		// can't reach here.
+		return false;
 		%}
 
 	function reassembled_body(h: DCE_RPC_Header, body: bytestring): const_bytestring
@@ -200,7 +251,6 @@ flow DCE_RPC_Flow(is_orig: bool) {
 		if ( fb.count(${h.call_id}) > 0 )
 			{
 			bd = const_bytestring(fb[${h.call_id}]->begin(), fb[${h.call_id}]->end());
-			delete fb[${h.call_id}];
 			fb.erase(${h.call_id});
 			}
 
diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc.pac b/src/analyzer/protocol/dce-rpc/dce_rpc.pac
index f4a54a1e62..87070e6216 100644
--- a/src/analyzer/protocol/dce-rpc/dce_rpc.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc.pac
@@ -2,6 +2,7 @@
 %include bro.pac
 
 %extern{
+#include "consts.bif.h"
 #include "types.bif.h"
 #include "events.bif.h"
 %}
diff --git a/src/analyzer/protocol/gssapi/CMakeLists.txt b/src/analyzer/protocol/gssapi/CMakeLists.txt
index 222c3cdf4e..d826d36bf7 100644
--- a/src/analyzer/protocol/gssapi/CMakeLists.txt
+++ b/src/analyzer/protocol/gssapi/CMakeLists.txt
@@ -5,7 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro GSSAPI)
 bro_plugin_cc(GSSAPI.cc Plugin.cc)
-bro_plugin_bif(types.bif events.bif)
+bro_plugin_bif(events.bif)
 bro_plugin_pac(
     gssapi.pac 
     gssapi-protocol.pac
diff --git a/src/analyzer/protocol/gssapi/gssapi.pac b/src/analyzer/protocol/gssapi/gssapi.pac
index 07759e8daa..55b7fe4255 100644
--- a/src/analyzer/protocol/gssapi/gssapi.pac
+++ b/src/analyzer/protocol/gssapi/gssapi.pac
@@ -5,7 +5,6 @@
 #include "analyzer/Manager.h"
 #include "analyzer/Analyzer.h"
 
-#include "types.bif.h"
 #include "events.bif.h"
 %}
 
diff --git a/src/analyzer/protocol/gssapi/types.bif b/src/analyzer/protocol/gssapi/types.bif
deleted file mode 100644
index 996cee9ad8..0000000000
--- a/src/analyzer/protocol/gssapi/types.bif
+++ /dev/null
@@ -1 +0,0 @@
-# Empty.
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index c1f4320c04..badf8c1b54 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -1843,13 +1843,23 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e
 
 			if ( line == line_end )
 				{
-				// How to deal with % at end of line?
-				// *URI_p++ = '%';
+				*URI_p++ = '%';
 				if ( analyzer )
 					analyzer->Weird("illegal_%_at_end_of_URI");
 				break;
 				}
 
+			else if ( line + 1 == line_end )
+				{
+				// % + one character at end of line. Log weird
+				// and just add to unescpaped URI.
+				*URI_p++ = '%';
+				*URI_p++ = *line;
+				if ( analyzer )
+					analyzer->Weird("partial_escape_at_end_of_URI");
+				break;
+				}
+
 			else if ( *line == '%' )
 				{
 				// Double '%' might be either due to
diff --git a/src/analyzer/protocol/krb/krb-padata.pac b/src/analyzer/protocol/krb/krb-padata.pac
index b178239f4d..271958fcb4 100644
--- a/src/analyzer/protocol/krb/krb-padata.pac
+++ b/src/analyzer/protocol/krb/krb-padata.pac
@@ -75,8 +75,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
 				string file_id = file_mgr->HashHandle(file_handle.Description());
 
 				file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
-			                 	 cert.length(), bro_analyzer->GetAnalyzerTag(),
-			                 	 bro_analyzer->Conn(), true, file_id);
+				                 cert.length(), bro_analyzer->GetAnalyzerTag(),
+				                 bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert");
 				file_mgr->EndOfFile(file_id);
 
 				break;
@@ -99,8 +99,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
 				string file_id = file_mgr->HashHandle(file_handle.Description());
 
 				file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
-	                 			 cert.length(), bro_analyzer->GetAnalyzerTag(),
-			 	                 bro_analyzer->Conn(), false, file_id);
+				                 cert.length(), bro_analyzer->GetAnalyzerTag(),
+				                 bro_analyzer->Conn(), false, file_id, "application/x-x509-user-cert");
 				file_mgr->EndOfFile(file_id);
 
 				break;
diff --git a/src/analyzer/protocol/krb/krb-protocol.pac b/src/analyzer/protocol/krb/krb-protocol.pac
index a237f6b0fa..8f68bebe0d 100644
--- a/src/analyzer/protocol/krb/krb-protocol.pac
+++ b/src/analyzer/protocol/krb/krb-protocol.pac
@@ -136,8 +136,8 @@ type KRB_AP_REQ(is_orig: bool) = record {
 
 type KRB_AP_Options = record {
 	meta 	: SequenceElement(false);
-	flags	: uint32;
 		: padding[1];
+	flags	: uint32;
 } &let {
 	reserved	: bool = (flags & 0x80000000) > 0;
 	use_session_key	: bool = (flags & 0x40000000) > 0;
diff --git a/src/analyzer/protocol/krb/krb-types.pac b/src/analyzer/protocol/krb/krb-types.pac
index 07418b3a71..3b3b9d1f09 100644
--- a/src/analyzer/protocol/krb/krb-types.pac
+++ b/src/analyzer/protocol/krb/krb-types.pac
@@ -19,6 +19,8 @@ Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname)
 		return bytestring_to_val(pname->data()[0][0]->encoding()->content());
 	if ( pname->data()->size() == 2 )
 		return new StringVal(fmt("%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin()));
+	if ( pname->data()->size() == 3 ) // if the name-string has a third value, this will just append it, else this will return unknown as the principal name
+		return new StringVal(fmt("%s/%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin(), (char *)pname->data()[0][2]->encoding()->content().begin()));
 
 	return new StringVal("unknown");
 }
@@ -93,6 +95,7 @@ RecordVal* proc_ticket(const KRB_Ticket* ticket)
 	rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content()));
 	rv->Assign(2, GetStringFromPrincipalName(ticket->sname()));
 	rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT));
+	rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext()->encoding()->content()));
 
 	return rv;
 }
@@ -159,7 +162,7 @@ type KRB_Encrypted_Data = record {
 		true   -> next_meta: ASN1EncodingMeta;
 		false  -> none_meta: empty;
 	};
-	ciphertext	: bytestring &length=have_kvno ? next_meta.length : kvno_meta.length;
+	ciphertext	: ASN1OctetString &length=have_kvno ? next_meta.length : kvno_meta.length;
 } &let {
 	have_kvno	: bool = kvno_meta.index == 1;
 };
diff --git a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac
index e1850f8b45..55756b61e9 100644
--- a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac
+++ b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac
@@ -148,8 +148,11 @@ refine connection NTLM_Conn += {
 		if ( ${val}->has_workstation() > 0 )
 			result->Assign(3, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data}));
 
+		if ( ${val}->has_encrypted_session_key() > 0 )
+			result->Assign(4, bytestring_to_val(${val.encrypted_session_key.string.data}));
+
 		if ( ${val}->has_version() )
-			result->Assign(4, build_version_record(${val.version}));
+			result->Assign(5, build_version_record(${val.version}));
 
 		BifEvent::generate_ntlm_authenticate(bro_analyzer(),
 		                                     bro_analyzer()->Conn(),
diff --git a/src/analyzer/protocol/ntlm/ntlm-protocol.pac b/src/analyzer/protocol/ntlm/ntlm-protocol.pac
index c553330760..8862be1f22 100644
--- a/src/analyzer/protocol/ntlm/ntlm-protocol.pac
+++ b/src/analyzer/protocol/ntlm/ntlm-protocol.pac
@@ -61,7 +61,7 @@ type NTLM_Authenticate(offset: uint16) = record {
 	domain_name           : NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(domain_name_fields.length > 0);
 	user_name             : NTLM_String(user_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(user_name_fields.length > 0);
 	workstation           : NTLM_String(workstation_fields, absolute_offset , flags.negotiate_unicode) withinput payload &if(workstation_fields.length > 0);
-	encrypted_session_key : NTLM_String(encrypted_session_key_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_key_exch);
+	encrypted_session_key : NTLM_String(encrypted_session_key_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(encrypted_session_key_fields.length > 0);
 };
 
 type NTLM_Version = record {
diff --git a/src/analyzer/protocol/pia/CMakeLists.txt b/src/analyzer/protocol/pia/CMakeLists.txt
index ff55bcf0aa..02397f7aff 100644
--- a/src/analyzer/protocol/pia/CMakeLists.txt
+++ b/src/analyzer/protocol/pia/CMakeLists.txt
@@ -5,5 +5,4 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro PIA)
 bro_plugin_cc(PIA.cc Plugin.cc)
-bro_plugin_bif(events.bif)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc
index 7d73624dd0..8f5e23a1ce 100644
--- a/src/analyzer/protocol/pia/PIA.cc
+++ b/src/analyzer/protocol/pia/PIA.cc
@@ -3,8 +3,6 @@
 #include "analyzer/protocol/tcp/TCP_Flags.h"
 #include "analyzer/protocol/tcp/TCP_Reassembler.h"
 
-#include "events.bif.h"
-
 using namespace analyzer::pia;
 
 PIA::PIA(analyzer::Analyzer* arg_as_analyzer)
diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac
index 01b47e9478..1ba2c465d8 100644
--- a/src/analyzer/protocol/rdp/rdp-analyzer.pac
+++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac
@@ -142,7 +142,7 @@ refine flow RDP_Flow += {
 		                 connection()->bro_analyzer()->GetAnalyzerTag(),
 		                 connection()->bro_analyzer()->Conn(),
 		                 false, // It seems there are only server certs?
-		                 file_id);
+		                 file_id, "application/x-x509-user-cert");
 		file_mgr->EndOfFile(file_id);
 
 		return true;
diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc
index 8a2620e2e5..03cd91e573 100644
--- a/src/analyzer/protocol/rpc/NFS.cc
+++ b/src/analyzer/protocol/rpc/NFS.cc
@@ -1,6 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include <algorithm>
+#include <vector>
 
 #include "bro-config.h"
 
@@ -68,6 +69,10 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 		callarg = nfs3_diropargs(buf, n);
 		break;
 
+	case BifEnum::NFS3::PROC_RENAME:
+		callarg = nfs3_renameopargs(buf, n);
+		break;
+
 	case BifEnum::NFS3::PROC_READDIR:
 		callarg = nfs3_readdirargs(false, buf, n);
 		break;
@@ -196,6 +201,11 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 		event = nfs_proc_rmdir;
 		break;
 
+	case BifEnum::NFS3::PROC_RENAME:
+		reply = nfs3_renameobj_reply(buf, n);
+		event = nfs_proc_rename;
+		break;
+
 	case BifEnum::NFS3::PROC_READDIR:
 		reply = nfs3_readdir_reply(false, buf, n, nfs_status);
 		event = nfs_proc_readdir;
@@ -250,8 +260,9 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 
 		analyzer->ConnectionEvent(event, vl);
 		}
+	else
+		Unref(reply);
 
-	Unref(reply);
 	return 1;
 	}
 
@@ -288,6 +299,10 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s
 	// These are the first parameters for each nfs_* event ...
 	val_list *vl = new val_list;
 	vl->append(analyzer->BuildConnVal());
+	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
+
+	for ( size_t i = 0; i < c->AuxGIDs().size(); ++i )
+		auxgids->Assign(i, new Val(c->AuxGIDs()[i], TYPE_COUNT));
 
 	RecordVal *info = new RecordVal(BifType::Record::NFS3::info_t);
 	info->Assign(0, new EnumVal(rpc_status, BifType::Enum::rpc_status));
@@ -298,6 +313,11 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s
 	info->Assign(5, new Val(rep_start_time, TYPE_TIME));
 	info->Assign(6, new Val(rep_last_time-rep_start_time, TYPE_INTERVAL));
 	info->Assign(7, new Val(reply_len, TYPE_COUNT));
+	info->Assign(8, new Val(c->Uid(), TYPE_COUNT));
+	info->Assign(9, new Val(c->Gid(), TYPE_COUNT));
+	info->Assign(10, new Val(c->Stamp(), TYPE_COUNT));
+	info->Assign(11, new StringVal(c->MachineName()));
+	info->Assign(12, auxgids);
 
 	vl->append(info);
 	return vl;
@@ -374,6 +394,17 @@ RecordVal *NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n)
 	return diropargs;
 	}
 
+RecordVal *NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n)
+	{
+	RecordVal *renameopargs = new RecordVal(BifType::Record::NFS3::renameopargs_t);
+
+	renameopargs->Assign(0, nfs3_fh(buf, n));
+	renameopargs->Assign(1, nfs3_filename(buf, n));
+	renameopargs->Assign(2, nfs3_fh(buf, n));
+	renameopargs->Assign(3, nfs3_filename(buf, n));
+
+	return renameopargs;
+	}
 
 RecordVal* NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n)
 	{
@@ -558,6 +589,19 @@ RecordVal* NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n)
 	return rep;
 	}
 
+RecordVal* NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n)
+	{
+	RecordVal *rep = new RecordVal(BifType::Record::NFS3::renameobj_reply_t);
+
+	// wcc_data
+	rep->Assign(0, nfs3_pre_op_attr(buf, n));
+	rep->Assign(1, nfs3_post_op_attr(buf, n));
+	rep->Assign(2, nfs3_pre_op_attr(buf, n));
+	rep->Assign(3, nfs3_post_op_attr(buf, n));
+
+	return rep;
+	}
+
 RecordVal* NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n)
 	{
 	RecordVal *args = new RecordVal(BifType::Record::NFS3::readdirargs_t);
@@ -646,7 +690,7 @@ Val* NFS_Interp::ExtractBool(const u_char*& buf, int& n)
 
 
 NFS_Analyzer::NFS_Analyzer(Connection* conn)
-	: RPC_Analyzer("RPC", conn, new NFS_Interp(this))
+	: RPC_Analyzer("NFS", conn, new NFS_Interp(this))
 	{
 	orig_rpc = resp_rpc = 0;
 	}
diff --git a/src/analyzer/protocol/rpc/NFS.h b/src/analyzer/protocol/rpc/NFS.h
index ba6cab38e2..85fb10ab49 100644
--- a/src/analyzer/protocol/rpc/NFS.h
+++ b/src/analyzer/protocol/rpc/NFS.h
@@ -37,6 +37,7 @@ protected:
 	EnumVal* nfs3_ftype(const u_char*& buf, int& n);
 	RecordVal* nfs3_wcc_attr(const u_char*& buf, int& n);
 	RecordVal* nfs3_diropargs(const u_char*&buf, int &n);
+	RecordVal* nfs3_renameopargs(const u_char*&buf, int &n);
 	StringVal* nfs3_filename(const u_char*& buf, int& n);
 	StringVal* nfs3_nfspath(const u_char*& buf, int& n)
 		{
@@ -54,6 +55,7 @@ protected:
 	RecordVal* nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_delobj_reply(const u_char*& buf, int& n);
+	RecordVal* nfs3_renameobj_reply(const u_char*& buf, int& n);
 	StringVal* nfs3_post_op_fh(const u_char*& buf, int& n);
 	RecordVal* nfs3_readdirargs(bool isplus, const u_char*& buf, int&n);
 	RecordVal* nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc
index aff6bfefc0..6ccd8008b8 100644
--- a/src/analyzer/protocol/rpc/RPC.cc
+++ b/src/analyzer/protocol/rpc/RPC.cc
@@ -40,7 +40,19 @@ RPC_CallInfo::RPC_CallInfo(uint32 arg_xid, const u_char*& buf, int& n, double ar
 	prog = extract_XDR_uint32(buf, n);
 	vers = extract_XDR_uint32(buf, n);
 	proc = extract_XDR_uint32(buf, n);
-	cred_flavor = skip_XDR_opaque_auth(buf, n);
+	cred_flavor = extract_XDR_uint32(buf, n);
+	int cred_opaque_n, machinename_n;
+	const u_char* cred_opaque = extract_XDR_opaque(buf, n, cred_opaque_n);
+	stamp = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	const u_char* tmp = extract_XDR_opaque(cred_opaque, cred_opaque_n, machinename_n);
+	machinename = std::string(reinterpret_cast<const char*>(tmp), machinename_n);
+	uid = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	gid = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	size_t number_of_gids = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+
+	for ( auto i = 0u; i < number_of_gids; ++i )
+		auxgids.push_back(extract_XDR_uint32(cred_opaque, cred_opaque_n));
+
 	verf_flavor = skip_XDR_opaque_auth(buf, n);
 
 	header_len = call_n - n;
diff --git a/src/analyzer/protocol/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h
index e87f8afa95..ab7b3968c7 100644
--- a/src/analyzer/protocol/rpc/RPC.h
+++ b/src/analyzer/protocol/rpc/RPC.h
@@ -62,6 +62,11 @@ public:
 	uint32 Program() const		{ return prog; }
 	uint32 Version() const		{ return vers; }
 	uint32 Proc() const		{ return proc; }
+	uint32 Uid() const { return uid; }
+	uint32 Gid() const { return gid; }
+	uint32 Stamp() const { return stamp; }
+	const std::string& MachineName() const { return machinename; }
+	const std::vector<int>& AuxGIDs() const { return auxgids; }
 
 	double StartTime() const	{ return start_time; }
 	void SetStartTime(double t)	{ start_time = t; }
@@ -78,8 +83,12 @@ public:
 
 protected:
 	uint32 xid, rpc_version, prog, vers, proc;
-	uint32 cred_flavor, verf_flavor;
+	uint32 cred_flavor, stamp;
+	uint32 uid, gid;
+	std::vector<int> auxgids;
+	uint32 verf_flavor;
 	u_char* call_buf;	// copy of original call buffer
+	std::string machinename;
 	double start_time;
 	double last_time;
 	int rpc_len;		// size of the full RPC call, incl. xid and msg_type
diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif
index fc42aac6a6..881faface1 100644
--- a/src/analyzer/protocol/rpc/events.bif
+++ b/src/analyzer/protocol/rpc/events.bif
@@ -274,6 +274,34 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
 
+## Generated for NFSv3 request/reply dialogues of type *rename*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req: TODO.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write
+##    nfs_reply_status rpc_call rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t%);
+
 ## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is
 ## generated once we have either seen both the request and its corresponding
 ## reply, or an unanswered request has timed out.
diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt
index 2ea745d51d..bf44501b96 100644
--- a/src/analyzer/protocol/smb/CMakeLists.txt
+++ b/src/analyzer/protocol/smb/CMakeLists.txt
@@ -26,17 +26,18 @@ bro_plugin_bif(
 
 	smb2_com_close.bif
 	smb2_com_create.bif
-	#smb2_com_ioctl.bif
-	#smb2_com_lock.bif
 	smb2_com_negotiate.bif
 	smb2_com_read.bif
 	smb2_com_session_setup.bif
 	smb2_com_set_info.bif
 	smb2_com_tree_connect.bif
-	#smb2_com_tree_disconnect.bif
+	smb2_com_tree_disconnect.bif
 	smb2_com_write.bif
 	smb2_events.bif
 
+	events.bif
+	consts.bif
+
 	types.bif)
 bro_plugin_pac(
 	smb.pac
diff --git a/src/analyzer/protocol/smb/SMB.cc b/src/analyzer/protocol/smb/SMB.cc
index da202f5269..97178545ef 100644
--- a/src/analyzer/protocol/smb/SMB.cc
+++ b/src/analyzer/protocol/smb/SMB.cc
@@ -10,38 +10,34 @@ SMB_Analyzer::SMB_Analyzer(Connection *conn)
 : tcp::TCP_ApplicationAnalyzer("SMB", conn)
 	{
 	chunks=0;
-	interp=0;
+	interp = new binpac::SMB::SMB_Conn(this);
+	need_sync=true;
 	}
 
 SMB_Analyzer::~SMB_Analyzer()
 	{
-	if ( interp )
-		delete interp;
+	delete interp;
 	}
 
 void SMB_Analyzer::Done()
 	{
 	TCP_ApplicationAnalyzer::Done();
 
-	if ( interp )
-		{
-		interp->FlowEOF(true);
-		interp->FlowEOF(false);
-		}
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
 	}
 
 void SMB_Analyzer::EndpointEOF(bool is_orig)
 	{
 	TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 
-	if ( interp )
-		interp->FlowEOF(is_orig);
+	interp->FlowEOF(is_orig);
 	}
 
 void SMB_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
-	
+
 	NeedResync();
 	}
 
@@ -54,24 +50,28 @@ bool SMB_Analyzer::HasSMBHeader(int len, const u_char* data)
 	        strncmp((const char*) data+4, "\xfeSMB", 4) == 0);
 	}
 
+void SMB_Analyzer::NeedResync()
+	{
+	interp->upflow()->flow_buffer()->DiscardData();
+	interp->downflow()->flow_buffer()->DiscardData();
+	need_sync=true;
+	}
+
 void SMB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
 	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 
 	assert(TCP());
 
-	// Either instantiate an interpreter or bail.
-	if ( ! interp )
-		{
-		if ( HasSMBHeader(len, data) )
-			interp = new binpac::SMB::SMB_Conn(this);
-		else
-			return;
-		}
+	// It we need to resync and we don't have an SMB header, bail!
+	if ( need_sync && ! HasSMBHeader(len, data) )
+		return;
+	else
+		need_sync=false;
 
 	try
 		{
-		// If we get here, it means we have an interpreter.
+		// If we get here, it means we have an SMB header in the message.
 		interp->NewData(orig, data, data + len);
 
 		// Let's assume that if there are no binpac exceptions after
diff --git a/src/analyzer/protocol/smb/SMB.h b/src/analyzer/protocol/smb/SMB.h
index 2edeecf506..ea9ec2e6a5 100644
--- a/src/analyzer/protocol/smb/SMB.h
+++ b/src/analyzer/protocol/smb/SMB.h
@@ -17,10 +17,7 @@ public:
 	void EndpointEOF(bool is_orig) override;
 
 	bool HasSMBHeader(int len, const u_char* data);
-	void NeedResync() {
-		delete interp;
-		interp = 0;
-	}
+	void NeedResync();
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new SMB_Analyzer(conn); }
@@ -31,6 +28,8 @@ protected:
 	// Count the number of chunks received by the analyzer
 	// but only used to count the first few.
 	uint8 chunks;
+
+	bool need_sync;
 };
 
 } } // namespace analyzer::*
diff --git a/src/analyzer/protocol/smb/consts.bif b/src/analyzer/protocol/smb/consts.bif
new file mode 100644
index 0000000000..321875b43d
--- /dev/null
+++ b/src/analyzer/protocol/smb/consts.bif
@@ -0,0 +1 @@
+const SMB::pipe_filenames: string_set;
\ No newline at end of file
diff --git a/src/analyzer/protocol/smb/events.bif b/src/analyzer/protocol/smb/events.bif
new file mode 100644
index 0000000000..d0091589fe
--- /dev/null
+++ b/src/analyzer/protocol/smb/events.bif
@@ -0,0 +1,10 @@
+## Generated for :abbr:`SMB (Server Message Block)` connections when a
+## named pipe has been detected heuristically.  The case when this comes
+## up is when the drive mapping isn't seen so the analyzer is not able
+## to determine whether to send the data to the files framework or to
+## the DCE_RPC analyzer. This heuristic can be tuned by adding or
+## removing "named pipe" names from the :bro:see:`SMB::pipe_filenames`
+## const.
+##
+## c: The connection.
+event smb_pipe_connect_heuristic%(c: connection%);
diff --git a/src/analyzer/protocol/smb/smb-gssapi.pac b/src/analyzer/protocol/smb/smb-gssapi.pac
index 0a933e8286..2bde6e9e8f 100644
--- a/src/analyzer/protocol/smb/smb-gssapi.pac
+++ b/src/analyzer/protocol/smb/smb-gssapi.pac
@@ -2,10 +2,12 @@
 refine connection SMB_Conn += {
 	%member{
 		analyzer::Analyzer *gssapi;
+		analyzer::Analyzer *ntlm;
 	%}
 
 	%init{
 		gssapi = 0;
+		ntlm = 0;
 	%}
 
 	%cleanup{
@@ -14,6 +16,12 @@ refine connection SMB_Conn += {
 			gssapi->Done();
 			delete gssapi;
 			}
+
+		if ( ntlm )
+			{
+			ntlm->Done();
+			delete ntlm;
+			}
 	%}
 
 	function forward_gssapi(data: bytestring, is_orig: bool): bool
@@ -21,9 +29,24 @@ refine connection SMB_Conn += {
 		if ( ! gssapi )
 			gssapi = analyzer_mgr->InstantiateAnalyzer("GSSAPI", bro_analyzer()->Conn());
 
-		if ( gssapi )
-			gssapi->DeliverStream(${data}.length(), ${data}.begin(), is_orig);
+		if ( ! ntlm )
+			ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
 
+		// SMB allows raw NTLM instead of GSSAPI in certain messages.
+		// We check if this is the case and run the NTLM analyzer directly.
+		if ( ${data}.length() >= 8 )
+			{
+			if ( strncmp((const char*)${data}.begin(), "NTLMSSP",7) == 0 )
+				{
+				if ( ntlm )
+					ntlm->DeliverStream(${data}.length(), ${data}.begin(), is_orig);
+				}
+			else
+				{
+				if ( gssapi )
+					gssapi->DeliverStream(${data}.length(), ${data}.begin(), is_orig);
+				}
+			}
 		return true;
 		%}
 };
diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac
index 5c32f1f17c..2407c63dd3 100644
--- a/src/analyzer/protocol/smb/smb-pipe.pac
+++ b/src/analyzer/protocol/smb/smb-pipe.pac
@@ -5,7 +5,7 @@
 refine connection SMB_Conn += {
 	%member{
 		map<uint16,bool> tree_is_pipe_map;
-		map<uint64,analyzer::dce_rpc::DCE_RPC_Analyzer*> fid_to_analyzer_map;;
+		map<uint64,analyzer::dce_rpc::DCE_RPC_Analyzer*> fid_to_analyzer_map;
 	%}
 
 	%cleanup{
@@ -20,18 +20,20 @@ refine connection SMB_Conn += {
 			}
 	%}
 
-
 	function get_tree_is_pipe(tree_id: uint16): bool
 		%{
-		if ( tree_is_pipe_map.count(tree_id) > 0 )
-			return tree_is_pipe_map.at(tree_id);
-		else
-			return false;
+		return ( tree_is_pipe_map.count(tree_id) > 0 );
 		%}
 
-	function set_tree_is_pipe(tree_id: uint16, is_pipe: bool): bool
+	function unset_tree_is_pipe(tree_id: uint16): bool
 		%{
-		tree_is_pipe_map[tree_id] = is_pipe;
+		tree_is_pipe_map.erase(tree_id);
+		return true;
+		%}
+
+	function set_tree_is_pipe(tree_id: uint16): bool
+		%{
+		tree_is_pipe_map[tree_id] = true;
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/smb/smb-time.pac b/src/analyzer/protocol/smb/smb-time.pac
index 0ad97d20a3..52654c7a2b 100644
--- a/src/analyzer/protocol/smb/smb-time.pac
+++ b/src/analyzer/protocol/smb/smb-time.pac
@@ -30,6 +30,7 @@ function time_from_lanman(t: SMB_time, d: SMB_date, tz: uint16): Val
 	lTime.tm_mday = ${d.day};
 	lTime.tm_mon = ${d.month};
 	lTime.tm_year = 1980 + ${d.year};
+    lTime.tm_isdst = -1;
 	double lResult = mktime(&lTime);
 	return new Val(lResult + tz, TYPE_TIME);
 	%}
diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac
index e0dffd2484..156037f614 100644
--- a/src/analyzer/protocol/smb/smb.pac
+++ b/src/analyzer/protocol/smb/smb.pac
@@ -9,6 +9,8 @@
 #include "smb2_events.bif.h"
 
 #include "types.bif.h"
+#include "events.bif.h"
+#include "consts.bif.h"
 
 #include "smb1_com_check_directory.bif.h"
 #include "smb1_com_close.bif.h"
@@ -29,14 +31,12 @@
 
 #include "smb2_com_close.bif.h"
 #include "smb2_com_create.bif.h"
-//#include "smb2_com_ioctl.bif.h"
-//#include "smb2_com_lock.bif.h"
 #include "smb2_com_negotiate.bif.h"
 #include "smb2_com_read.bif.h"
 #include "smb2_com_session_setup.bif.h"
 #include "smb2_com_set_info.bif.h"
 #include "smb2_com_tree_connect.bif.h"
-//#include "smb2_com_tree_disconnect.bif.h"
+#include "smb2_com_tree_disconnect.bif.h"
 #include "smb2_com_write.bif.h"
 %}
 
diff --git a/src/analyzer/protocol/smb/smb1-com-close.pac b/src/analyzer/protocol/smb/smb1-com-close.pac
index 4aa6c5c3a0..092f8f4020 100644
--- a/src/analyzer/protocol/smb/smb1-com-close.pac
+++ b/src/analyzer/protocol/smb/smb1-com-close.pac
@@ -8,14 +8,8 @@ refine connection SMB_Conn += {
 			                                     BuildHeaderVal(h),
 			                                     ${val.file_id});
 
-		// This is commented out for the moment because it caused problems
-		// with extraction because the file kept having the same name due
-		// to repeatedly having the same file uid.  This results in files
-		// effectively falling of SMB solely by expiration instead of
-		// manually being closed.
-
-		//file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
-		//		    bro_analyzer()->Conn(), h->is_orig());
+		file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
+		                    bro_analyzer()->Conn(), h->is_orig());
 
 		return true;
 		%}
diff --git a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
index 36a583696e..0cdae1cefb 100644
--- a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
@@ -1,13 +1,27 @@
 refine connection SMB_Conn += {
 	function proc_smb1_nt_create_andx_request(header: SMB_Header, val: SMB1_nt_create_andx_request): bool
 		%{
+		StringVal *filename = smb_string2stringval(${val.filename});
+		if ( ! ${header.is_pipe} &&
+		     BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
+			{
+			set_tree_is_pipe(${header.tid});
+			BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
+			                                              bro_analyzer()->Conn());
+			}
+
 		if ( smb1_nt_create_andx_request )
 			{
 			BifEvent::generate_smb1_nt_create_andx_request(bro_analyzer(),
 			                                              bro_analyzer()->Conn(),
 			                                              BuildHeaderVal(header),
-			                                              smb_string2stringval(${val.filename}));
+			                                              filename);
 			}
+		else
+			{
+			delete filename;
+			}
+
 		return true;
 		%}
 
@@ -26,14 +40,6 @@ refine connection SMB_Conn += {
 			                                                                 ${val.last_change_time}));
 			}
 
-		if ( ${val.end_of_file} > 0 )
-			{
-			//file_mgr->SetSize(${val.end_of_file},
-			//                  bro_analyzer()->GetAnalyzerTag(),
-			//                  bro_analyzer()->Conn(),
-			//                  header->is_orig());
-			}
-
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/smb/smb1-com-open-andx.pac b/src/analyzer/protocol/smb/smb1-com-open-andx.pac
deleted file mode 100644
index 8f19f6f3a4..0000000000
--- a/src/analyzer/protocol/smb/smb1-com-open-andx.pac
+++ /dev/null
@@ -1,85 +0,0 @@
-refine connection SMB_Conn += {
-
-	function proc_smb1_open_andx_request(h: SMB_Header, val: SMB1_open_andx_request): bool
-		%{
-		if ( smb1_open_andx_request )
-			BifEvent::generate_smb1_open_andx_request(bro_analyzer(),
-			                                          bro_analyzer()->Conn(),
-			                                          BuildHeaderVal(h),
-			                                          ${val.flags},
-			                                          ${val.access_mode},
-													  ${val.search_attrs},
-													  ${val.file_attrs},
-													  ${val.creation_time},
-													  ${val.open_mode},
-													  ${val.allocation_size},
-													  ${val.timeout},
-			                                          smb_string2stringval(${val.filename}));
-
-		return true;
-		%}
-
-	function proc_smb1_open_andx_response(h: SMB_Header, val: SMB1_open_andx_response): bool
-		%{
-		if ( smb1_open_andx_response )
-			BifEvent::generate_smb1_open_andx_response(bro_analyzer(),
-			                                           bro_analyzer()->Conn(),
-			                                           BuildHeaderVal(h),
-													   ${val.fid},
-													   ${val.file_attrs},
-													   ${val.last_write_time},
-													   ${val.file_data_size},
-													   ${val.access_rights},
-													   ${val.resource_type},
-													   ${val.nm_pipe_status},
-													   ${val.open_results});
-
-		return true;
-		%}
-
-};
-
-
-
-type SMB1_open_andx_request(header: SMB_Header, offset: uint16) = record {
-	word_count        : uint8;
-	andx           	  : SMB_andx;
-	flags		   	  : uint16;
-	access_mode	   	  : uint16;
-	search_attrs   	  : uint16;
-	file_attrs	   	  : uint16;
-	creation_time  	  : uint32;
-	open_mode	   	  : uint16;
-	allocation_size   : uint32;
-	timeout		      : uint32;
-	reserved	   	  : padding[2];
-	byte_count	   	  : uint16;
-	filename	   	  : SMB_string(header.unicode, offsetof(filename);
-
-	extra_byte_parameters : bytestring &transient &length=(andx.offset == 0 || andx.offset >= (offset+offsetof(extra_byte_parameters))+2) ? 0 : (andx.offset-(offset+offsetof(extra_byte_parameters)));
-
-	andx_command      : SMB_andx_command(header, 1, offset+offsetof(andx_command), andx.command);
-} &let {
-	proc        : bool   = $context.connection.proc_smb1_open_andx_request(header, this);
-} &byteorder=littleendian;
-
-type SMB1_open_andx_response(header: SMB_Header, offset: uint16) = record {
-	word_count        : uint8;
-	andx              : SMB_andx;
-	fid				  : uint16;
-	file_attrs		  : uint16;
-	last_write_time	  : uint32;
-	file_data_size	  : uint32;
-	access_rights	  : uint16;
-	resource_type	  : uint16;
-	nm_pipe_status	  : uint16;
-	open_results	  : uint16;
-	reserved		  : padding[3];
-	byte_count		  : uint16;
-
-	extra_byte_parameters : bytestring &transient &length=(andx.offset == 0 || andx.offset >= (offset+offsetof(extra_byte_parameters))+2) ? 0 : (andx.offset-(offset+offsetof(extra_byte_parameters)));
-
-	andx_command      : SMB_andx_command(header, 0, offset+offsetof(andx_command), andx.command);
-} &let {
-	proc        : bool   = $context.connection.proc_smb1_open_andx_response(header, this);
-} &byteorder=littleendian;
diff --git a/src/analyzer/protocol/smb/smb1-com-read-andx.pac b/src/analyzer/protocol/smb/smb1-com-read-andx.pac
index 89e367206d..712ad8948b 100644
--- a/src/analyzer/protocol/smb/smb1-com-read-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-read-andx.pac
@@ -28,7 +28,7 @@ refine connection SMB_Conn += {
 			                                          BuildHeaderVal(h),
 			                                          ${val.data_len});
 
-		if ( ! ${val.is_pipe} && ${val.data_len} > 0 )
+		if ( ! ${h.is_pipe} && ${val.data_len} > 0 )
 			{
 			uint64 offset = read_offsets[${h.mid}];
 			read_offsets.erase(${h.mid});
@@ -93,8 +93,7 @@ type SMB1_read_andx_response(header: SMB_Header, offset: uint16) = record {
 
 	andx_command      : SMB_andx_command(header, 0, offset+offsetof(andx_command), andx.command);
 } &let {
-	is_pipe     : bool   = $context.connection.get_tree_is_pipe(header.tid);
-	pipe_proc   : bool   = $context.connection.forward_dce_rpc(data, 0, false) &if(is_pipe);
+	pipe_proc   : bool   = $context.connection.forward_dce_rpc(data, 0, false) &if(header.is_pipe);
 
 	padding_len : uint8  = (header.unicode == 1) ? 1 : 0;
 	data_len    : uint32 = (data_len_high << 16) + data_len_low;
diff --git a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
index 756a28bc96..526febce39 100644
--- a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
@@ -13,7 +13,11 @@ refine connection SMB_Conn += {
 
 	function proc_smb1_tree_connect_andx_response(header: SMB_Header, val: SMB1_tree_connect_andx_response): bool
 		%{
-		set_tree_is_pipe(${header.tid}, strncmp((const char*) smb_string2stringval(${val.service})->Bytes(), "IPC", 3) == 0);
+		if ( strncmp((const char*) smb_string2stringval(${val.service})->Bytes(),
+		     "IPC", 3) == 0 )
+			{
+			set_tree_is_pipe(${header.tid});
+			}
 		
 		if ( smb1_tree_connect_andx_response )
 			{
diff --git a/src/analyzer/protocol/smb/smb1-com-write-andx.pac b/src/analyzer/protocol/smb/smb1-com-write-andx.pac
index 79d36c52b5..8b4eed7056 100644
--- a/src/analyzer/protocol/smb/smb1-com-write-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-write-andx.pac
@@ -10,7 +10,7 @@ refine connection SMB_Conn += {
 			                                           ${val.write_offset},
 			                                           ${val.data_len});
 
-		if ( ! ${val.is_pipe} && ${val.data}.length() > 0 )
+		if ( ! ${h.is_pipe} && ${val.data}.length() > 0 )
 			{
 			file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(),
 			                 ${val.write_offset},
@@ -58,8 +58,7 @@ type SMB1_write_andx_request(header: SMB_Header, offset: uint16) = record {
 
 	andx_command    : SMB_andx_command(header, 1, offset+offsetof(andx_command), andx.command);
 } &let {
-	is_pipe     : bool   = $context.connection.get_tree_is_pipe(header.tid);
-	pipe_proc   : bool   = $context.connection.forward_dce_rpc(data, 0, true) &if(is_pipe);
+	pipe_proc   : bool   = $context.connection.forward_dce_rpc(data, 0, true) &if(header.is_pipe);
 
 	data_len    : uint32 = (data_len_high << 16) + data_len_low;
 	offset_high : uint32 = (word_count == 0x0E) ? offset_high_tmp : 0;
diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac
index b7ad6af140..4b38feefcb 100644
--- a/src/analyzer/protocol/smb/smb1-protocol.pac
+++ b/src/analyzer/protocol/smb/smb1-protocol.pac
@@ -127,7 +127,7 @@ type SMB_andx_command(header: SMB_Header, is_orig: bool, offset: uint16, command
 
 type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_orig: bool) = case command of {
 	# SMB1 Command Extensions
-	#SMB_COM_OPEN_ANDX                -> open_andx              : SMB_open_andx_request(header);
+	#SMB_COM_OPEN_ANDX                -> open_andx              : SMB1_open_andx_request(header);
 	SMB_COM_READ_ANDX                -> read_andx              : SMB1_read_andx_request(header, offset);
 	SMB_COM_WRITE_ANDX               -> write_andx             : SMB1_write_andx_request(header, offset);
 	SMB_COM_TRANSACTION2             -> transaction2           : SMB1_transaction2_request(header);
@@ -205,7 +205,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_
 
 type SMB_Message_Response(header: SMB_Header, offset: uint16, command: uint8, is_orig: bool) = case command of {
 	# SMB1 Command Extensions
-	#SMB_COM_OPEN_ANDX                -> open_andx              : SMB_open_andx_response(header, offset);
+	#SMB_COM_OPEN_ANDX                -> open_andx              : SMB1_open_andx_response(header, offset);
 	SMB_COM_READ_ANDX                -> read_andx              : SMB1_read_andx_response(header, offset);
 	SMB_COM_WRITE_ANDX               -> write_andx             : SMB1_write_andx_response(header, offset);
 	SMB_COM_TRANSACTION2             -> transaction2           : SMB1_transaction2_response(header);
@@ -298,7 +298,8 @@ type SMB_Header(is_orig: bool) = record {
 	err_status_type = (flags2 >> 14) & 1;
 	unicode         = (flags2 >> 15) & 1;
 	pid             = (pid_high * 0x10000) + pid_low;
-	proc : bool = $context.connection.proc_smb_message(this, is_orig);
+	is_pipe: bool   = $context.connection.get_tree_is_pipe(tid);
+	proc : bool     = $context.connection.proc_smb_message(this, is_orig);
 } &byteorder=littleendian;
 
 # TODO: compute this as
diff --git a/src/analyzer/protocol/smb/smb1_com_open_andx.bif b/src/analyzer/protocol/smb/smb1_com_open_andx.bif
deleted file mode 100644
index 1ce418e33a..0000000000
--- a/src/analyzer/protocol/smb/smb1_com_open_andx.bif
+++ /dev/null
@@ -1,41 +0,0 @@
-## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
-## version 1 requests of type *open andx*. This is sent by the client to create and open a new
-## file or open an existing regular file and chain additional messages along with the request.
-##
-## For more information, see MS-CIFS:2.2.4.41
-##
-## c: The connection.
-##
-## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
-##
-## flags: Flags requesting attribute data and locking.
-##
-## access_mode: The requested access mode.
-##
-## search_attrs: The set of attributes that the file MUST have in order to be found.
-##
-## file_attrs: The set of attributes that the file is to have if the file needs to be created.
-##
-## creation_time: The time of creation if the file is created.
-##
-## open_mode: The way a file s 
-##
-## length: The number of bytes being requested.
-##
-## .. bro:see:: smb1_message smb1_open_andx_response
-event smb1_open_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count%);
-
-## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
-## version 1 responses of type *open andx*. This is the server response to the *open andx* request.
-##
-## For more information, see MS-CIFS:2.2.4.41
-##
-## c: The connection.
-##
-## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
-##
-## data_len: The length of data from the requested file.
-##
-## .. bro:see:: smb1_message smb1_open_andx_request
-event smb1_open_andx_response%(c: connection, hdr: SMB1::Header, data_len: count%);
-
diff --git a/src/analyzer/protocol/smb/smb2-com-close.pac b/src/analyzer/protocol/smb/smb2-com-close.pac
index bb3b1bab49..0c90897d84 100644
--- a/src/analyzer/protocol/smb/smb2-com-close.pac
+++ b/src/analyzer/protocol/smb/smb2-com-close.pac
@@ -10,6 +10,9 @@ refine connection SMB_Conn += {
 			                                      BuildSMB2GUID(${val.file_id}));
 			}
 
+		file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
+		                    bro_analyzer()->Conn(), h->is_orig());
+
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac
index 0072e75adf..4d7c70bbe7 100644
--- a/src/analyzer/protocol/smb/smb2-com-create.pac
+++ b/src/analyzer/protocol/smb/smb2-com-create.pac
@@ -2,12 +2,25 @@ refine connection SMB_Conn += {
 
 	function proc_smb2_create_request(h: SMB2_Header, val: SMB2_create_request): bool
 		%{
+		StringVal *filename = smb2_string2stringval(${val.filename});
+		if ( ! ${h.is_pipe} &&
+		     BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
+			{
+			set_tree_is_pipe(${h.tree_id});
+			BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
+			                                              bro_analyzer()->Conn());
+			}
+
 		if ( smb2_create_request )
 			{
 			BifEvent::generate_smb2_create_request(bro_analyzer(),
 			                                       bro_analyzer()->Conn(),
 			                                       BuildSMB2HeaderVal(h),
-			                                       smb2_string2stringval(${val.filename}));
+			                                       filename);
+			}
+		else
+			{
+			delete filename;
 			}
 
 		return true;
@@ -29,14 +42,6 @@ refine connection SMB_Conn += {
 			                                        smb2_file_attrs_to_bro(${val.file_attrs}));
 			}
 
-		if ( ${val.eof} > 0 )
-			{
-			//file_mgr->SetSize(${val.eof},
-			//                  bro_analyzer()->GetAnalyzerTag(),
-			//                  bro_analyzer()->Conn(),
-			//                  h->is_orig());
-			}
-
 		return true;
 		%}
 };
diff --git a/src/analyzer/protocol/smb/smb2-com-lock.pac b/src/analyzer/protocol/smb/smb2-com-lock.pac
index d6b1f5c2c8..3efd5f4e55 100644
--- a/src/analyzer/protocol/smb/smb2-com-lock.pac
+++ b/src/analyzer/protocol/smb/smb2-com-lock.pac
@@ -1,5 +1,5 @@
 refine connection SMB_Conn += {
-
+	# Needs to be implemented.
 };
 
 type SMB2_lock = record {
diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac
index 1fa409a5f0..cf5d2ae065 100644
--- a/src/analyzer/protocol/smb/smb2-com-read.pac
+++ b/src/analyzer/protocol/smb/smb2-com-read.pac
@@ -42,7 +42,7 @@ refine connection SMB_Conn += {
 		uint64 offset = smb2_read_offsets[${h.message_id}];
 		smb2_read_offsets.erase(${h.message_id});
 
-		if ( ! ${val.is_pipe} && ${val.data_len} > 0 )
+		if ( ! ${h.is_pipe} && ${val.data_len} > 0 )
 			{
 			file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset,
 			                 bro_analyzer()->GetAnalyzerTag(),
@@ -83,9 +83,8 @@ type SMB2_read_response(header: SMB2_Header) = record {
 	pad               : padding to data_offset - header.head_length;
 	data              : bytestring &length=data_len;
 } &let {
-	is_pipe   : bool   = $context.connection.get_tree_is_pipe(header.tree_id);
 	fid       : uint64 = $context.connection.get_file_id(header.message_id);
-	pipe_proc : bool   = $context.connection.forward_dce_rpc(data, fid, false) &if(is_pipe);
+	pipe_proc : bool   = $context.connection.forward_dce_rpc(data, fid, false) &if(header.is_pipe);
 
 	proc: bool = $context.connection.proc_smb2_read_response(header, this);
 };
diff --git a/src/analyzer/protocol/smb/smb2-com-tree-connect.pac b/src/analyzer/protocol/smb/smb2-com-tree-connect.pac
index 1c8b4d5978..fe59ecb74d 100644
--- a/src/analyzer/protocol/smb/smb2-com-tree-connect.pac
+++ b/src/analyzer/protocol/smb/smb2-com-tree-connect.pac
@@ -13,7 +13,8 @@ refine connection SMB_Conn += {
 
 	function proc_smb2_tree_connect_response(header: SMB2_Header, val: SMB2_tree_connect_response): bool
 		%{
-		set_tree_is_pipe(${header.tree_id}, ${val.share_type} == SMB2_SHARE_TYPE_PIPE);
+		if ( ${val.share_type} == SMB2_SHARE_TYPE_PIPE )
+			set_tree_is_pipe(${header.tree_id});
 
 		if ( smb2_tree_connect_response )
 			{
diff --git a/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac b/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac
index 4413b56952..cba7b0deb3 100644
--- a/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac
+++ b/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac
@@ -1,9 +1,45 @@
+
+refine connection SMB_Conn += {
+
+	function proc_smb2_tree_disconnect_request(header: SMB2_Header): bool
+		%{
+		unset_tree_is_pipe(${header.tree_id});
+
+		if ( smb2_tree_disconnect_request )
+			{
+			BifEvent::generate_smb2_tree_disconnect_request(bro_analyzer(),
+			                                                bro_analyzer()->Conn(),
+			                                                BuildSMB2HeaderVal(header));
+			}
+
+		return true;
+		%}
+
+	function proc_smb2_tree_disconnect_response(header: SMB2_Header): bool
+		%{
+		if ( smb2_tree_disconnect_response )
+			{
+			BifEvent::generate_smb2_tree_disconnect_response(bro_analyzer(),
+			                                                 bro_analyzer()->Conn(),
+			                                                 BuildSMB2HeaderVal(header));
+			}
+
+		return true;
+		%}
+
+};
+
 type SMB2_tree_disconnect_request(header: SMB2_Header) = record {
 	structure_size    : uint16;
 	reserved          : uint16;
+} &let {
+	proc: bool = $context.connection.proc_smb2_tree_disconnect_request(header);
+
 };
 
 type SMB2_tree_disconnect_response(header: SMB2_Header) = record {
 	structure_size    : uint16;
 	reserved          : uint16;
+} &let {
+	proc: bool = $context.connection.proc_smb2_tree_disconnect_response(header);
 };
diff --git a/src/analyzer/protocol/smb/smb2-com-write.pac b/src/analyzer/protocol/smb/smb2-com-write.pac
index f463afc767..177a3a84bd 100644
--- a/src/analyzer/protocol/smb/smb2-com-write.pac
+++ b/src/analyzer/protocol/smb/smb2-com-write.pac
@@ -12,7 +12,7 @@ refine connection SMB_Conn += {
 			                                      ${val.data_len});
 			}
 
-		if ( ! ${val.is_pipe} && ${val.data}.length() > 0 )
+		if ( ! ${h.is_pipe} && ${val.data}.length() > 0 )
 			{
 			file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, ${val.offset},
 			                 bro_analyzer()->GetAnalyzerTag(),
@@ -44,8 +44,7 @@ type SMB2_write_request(header: SMB2_Header) = record {
 	pad                 : padding to data_offset - header.head_length;
 	data                : bytestring &length=data_len;
 } &let {
-	is_pipe: bool = $context.connection.get_tree_is_pipe(header.tree_id);
-	pipe_proc : bool = $context.connection.forward_dce_rpc(data, file_id.persistent+file_id._volatile, true) &if(is_pipe);
+	pipe_proc : bool = $context.connection.forward_dce_rpc(data, file_id.persistent+file_id._volatile, true) &if(header.is_pipe);
 
 	proc : bool = $context.connection.proc_smb2_write_request(header, this);
 };
diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac
index 523ab3b890..1cad6e130e 100644
--- a/src/analyzer/protocol/smb/smb2-protocol.pac
+++ b/src/analyzer/protocol/smb/smb2-protocol.pac
@@ -35,10 +35,10 @@ type SMB2_PDU(is_orig: bool) = record {
 		# Status 0 indicates success.  In the case of a
 		# request this should just happen to work out due to
 		# how the fields are set.
-		0          -> msg                      : SMB2_Message(header, is_orig);
-		STATUS_BUFFER_OVERFLOW          -> buffer_overflow : SMB2_Message(header, is_orig);
+		0                               -> msg                      : SMB2_Message(header, is_orig);
+		STATUS_BUFFER_OVERFLOW          -> buffer_overflow          : SMB2_Message(header, is_orig);
 		STATUS_MORE_PROCESSING_REQUIRED -> more_processing_required : SMB2_Message(header, is_orig);
-		default    -> err                      : SMB2_error_response(header);
+		default                         -> err                      : SMB2_error_response(header);
 	};
 };
 
@@ -199,6 +199,7 @@ type SMB2_Header(is_orig: bool) = record {
 	related  = (flags >> 26) & 1;
 	msigned  = (flags >> 27) & 1;
 	dfs      = (flags) & 1;
+	is_pipe: bool = $context.connection.get_tree_is_pipe(tree_id);
 	proc : bool = $context.connection.proc_smb2_message(this, is_orig);
 } &byteorder=littleendian;
 
@@ -242,7 +243,9 @@ type SMB2_error_response(header: SMB2_Header) = record {
 	structure_size    : uint16;
 	reserved          : padding[2];
 	byte_count        : uint32;
-	error_data        : SMB2_error_data(header, byte_count);
+	# This is implemented incorrectly and is disabled for now.
+	#error_data        : SMB2_error_data(header, byte_count);
+	stuff : bytestring &restofdata &transient;
 } &byteorder = littleendian;
 
 type SMB2_logoff_request(header: SMB2_Header) = record {
diff --git a/src/analyzer/protocol/smb/smb2_com_ioctl.bif b/src/analyzer/protocol/smb/smb2_com_ioctl.bif
deleted file mode 100644
index 996cee9ad8..0000000000
--- a/src/analyzer/protocol/smb/smb2_com_ioctl.bif
+++ /dev/null
@@ -1 +0,0 @@
-# Empty.
diff --git a/src/analyzer/protocol/smb/smb2_com_lock.bif b/src/analyzer/protocol/smb/smb2_com_lock.bif
deleted file mode 100644
index b22403cef0..0000000000
--- a/src/analyzer/protocol/smb/smb2_com_lock.bif
+++ /dev/null
@@ -1 +0,0 @@
-# Empty.
\ No newline at end of file
diff --git a/src/analyzer/protocol/smb/smb2_com_set_info.bif b/src/analyzer/protocol/smb/smb2_com_set_info.bif
index 6fd232ed7d..3aeeb579fe 100644
--- a/src/analyzer/protocol/smb/smb2_com_set_info.bif
+++ b/src/analyzer/protocol/smb/smb2_com_set_info.bif
@@ -11,7 +11,7 @@
 ##
 ## dst_filename: The filename to rename the file into.
 ##
-## .. bro:see:: smb2_message smb2_set_info_request smb2_file_delete
+## .. bro:see:: smb2_message smb2_file_delete
 event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -26,7 +26,7 @@ event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d
 ## delete_pending: A boolean value to indicate that a file should be deleted 
 ##                 when it's closed if set to T.
 ##
-## .. bro:see:: smb2_message smb2_set_info_request smb2_file_rename
+## .. bro:see:: smb2_message smb2_file_rename
 event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%);
 
 # TODO - Not implemented
diff --git a/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif b/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif
index 996cee9ad8..fdcd5d9d8b 100644
--- a/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif
+++ b/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif
@@ -1 +1,22 @@
-# Empty.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *tree disconnect*. This is sent by the client to logically disconnect
+## client access to a server resource.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## .. bro:see:: smb2_message
+event smb2_tree_disconnect_request%(c: connection, hdr: SMB2::Header%);
+
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *tree disconnect*. This is sent by the server to logically disconnect
+## client access to a server resource.
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## .. bro:see:: smb2_message
+event smb2_tree_disconnect_response%(c: connection, hdr: SMB2::Header%);
diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt
index 0f45aa1f32..14e41892c8 100644
--- a/src/analyzer/protocol/ssl/CMakeLists.txt
+++ b/src/analyzer/protocol/ssl/CMakeLists.txt
@@ -12,6 +12,7 @@ bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyz
 	proc-client-hello.pac
 	proc-server-hello.pac
 	proc-certificate.pac
+	tls-handshake-signed_certificate_timestamp.pac
 )
 bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac
 	proc-client-hello.pac
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 2855dd7fe9..7f0814ee27 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -87,6 +87,7 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
 ##    ssl_session_ticket_handshake ssl_extension_ec_point_formats
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 
 ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
@@ -104,6 +105,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ##    ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
 ##    ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
 
 ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@@ -122,6 +124,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
 ##    ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
 ## Generated for an Signature Algorithms extension. This TLS extension
@@ -139,6 +142,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
 
 ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
@@ -155,6 +159,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%);
 
 ## Generated if a named curve is chosen by the server for an SSL/TLS connection.
@@ -169,6 +174,7 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%)
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_server_curve%(c: connection, curve: count%);
 
 ## Generated if a server uses a DH-anon or DHE cipher suite. This event contains
@@ -192,7 +198,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 ## the initial handshake. It contains the list of client supported application
 ## protocols by the client or the server, respectively.
 ##
-## At the moment it is mostly used to negotiate the use of SPDY / HTTP2-drafts.
+## At the moment it is mostly used to negotiate the use of SPDY / HTTP2.
 ##
 ## c: The connection.
 ##
@@ -204,6 +210,8 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
 ##    ssl_extension_server_name ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_extension_signed_certificate_timestamp
 event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
 
 ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
@@ -223,8 +231,76 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
 ##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
 ##    ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_extension_signed_certificate_timestamp
 event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
 
+## Generated for the signed_certificate_timestamp TLS extension as defined in
+## :rfc:`6962`. The extension is used to transmit signed proofs that are
+## used for Certificate Transparency.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## version: the version of the protocol to which the SCT conforms. Always
+##          should be 0 (representing version 1)
+##
+## logid: 32 bit key id
+##
+## timestamp: the NTP Time when the entry was logged measured since
+##            the epoch, ignoring leap seconds, in milliseconds.
+##
+## signature_and_hashalgorithm: signature and hash algorithm used for the
+##                              digitally_signed struct
+##
+## signature: signature part of the digitally_signed struct
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_server_name ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_extension_application_layer_protocol_negotiation
+##    x509_ocsp_ext_signed_certificate_timestamp sct_verify
+event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
+
+## Generated for an TLS Supported Versions extension. This TLS extension
+## is defined in the TLS 1.3 rfc and sent by the client in the initial handshake.
+## It contains the TLS versions that it supports. This informaion can be used by
+## the server to choose the best TLS version o use.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## versions: List of supported TLS versions.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_key_share ssl_extension_server_name
+##    ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp
+event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%);
+
+## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
+## in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the
+## list of Pre-Shared Key Exchange Modes that it supports.
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## versions: List of supported Pre-Shared Key Exchange Modes.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_key_share ssl_extension_server_name
+##    ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
+event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
+
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Bro extracts as much information out of that
 ## as it can. This event signals the time when an SSL/TLS has finished the
diff --git a/src/analyzer/protocol/ssl/functions.bif b/src/analyzer/protocol/ssl/functions.bif
index f7fa76ca36..17720bcbb1 100644
--- a/src/analyzer/protocol/ssl/functions.bif
+++ b/src/analyzer/protocol/ssl/functions.bif
@@ -1,6 +1,7 @@
 
 %%{
 #include "analyzer/protocol/ssl/SSL.h"
+#include <openssl/x509.h>
 %%}
 
 ## Sets if the SSL analyzer should consider the connection established (handshake
diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac
index c2353e3a88..7c57f31744 100644
--- a/src/analyzer/protocol/ssl/proc-certificate.pac
+++ b/src/analyzer/protocol/ssl/proc-certificate.pac
@@ -9,6 +9,9 @@
 		common.AddRaw(is_orig ? "T" : "F", 1);
 		bro_analyzer()->Conn()->IDString(&common);
 
+		static const string user_mime = "application/x-x509-user-cert";
+		static const string ca_mime = "application/x-x509-ca-cert";
+
 		for ( unsigned int i = 0; i < certificates->size(); ++i )
 			{
 			const bytestring& cert = (*certificates)[i];
@@ -21,7 +24,7 @@
 
 			file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
 			                 cert.length(), bro_analyzer()->GetAnalyzerTag(),
-			                 bro_analyzer()->Conn(), is_orig, file_id);
+			                 bro_analyzer()->Conn(), is_orig, file_id, i == 0 ? user_mime : ca_mime);
 			file_mgr->EndOfFile(file_id);
 			}
 		return true;
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index 405ec34fbf..26eb29bfc5 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -150,6 +150,10 @@ enum SSLExtensions {
 	EXT_EARLY_DATA = 42,
 	EXT_SUPPORTED_VERSIONS = 43,
 	EXT_COOKIE = 44,
+	EXT_PSK_KEY_EXCHANGE_MODES = 45,
+	EXT_TICKET_EARLY_DATA_INFO = 46,
+	EXT_CERTIFICATE_AUTHORITIES = 47,
+	EXT_OID_FILTERS = 48,
 	EXT_NEXT_PROTOCOL_NEGOTIATION = 13172,
 	EXT_ORIGIN_BOUND_CERTIFICATES = 13175,
 	EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180,
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index a4f4f94c6f..e3226551b4 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -189,6 +189,38 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
+	function proc_supported_versions(rec: HandshakeRecord, versions_list: uint16[]) : bool
+		%{
+		VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
+
+		if ( versions_list )
+			{
+			for ( unsigned int i = 0; i < versions_list->size(); ++i )
+				versions->Assign(i, new Val((*versions_list)[i], TYPE_COUNT));
+			}
+
+		BifEvent::generate_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(),
+			${rec.is_orig}, versions);
+
+		return true;
+		%}
+
+	function proc_psk_key_exchange_modes(rec: HandshakeRecord, mode_list: uint8[]) : bool
+		%{
+		VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType());
+
+		if ( mode_list )
+			{
+			for ( unsigned int i = 0; i < mode_list->size(); ++i )
+				modes->Assign(i, new Val((*mode_list)[i], TYPE_COUNT));
+			}
+
+		BifEvent::generate_ssl_extension_psk_key_exchange_modes(bro_analyzer(), bro_analyzer()->Conn(),
+			${rec.is_orig}, modes);
+
+		return true;
+		%}
+
 	function proc_v3_certificate(is_orig: bool, cl : X509Certificate[]) : bool
 		%{
 		vector<X509Certificate*>* certs = cl;
@@ -211,12 +243,30 @@ refine connection Handshake_Conn += {
 
 	function proc_certificate_status(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool
 		%{
-		 if ( status_type == 1 ) // ocsp
+		ODesc common;
+		common.AddRaw("Analyzer::ANALYZER_SSL");
+		common.Add(bro_analyzer()->Conn()->StartTime());
+		common.AddRaw("F");
+		bro_analyzer()->Conn()->IDString(&common);
+
+		if ( status_type == 1 ) // ocsp
 			{
+			ODesc file_handle;
+			file_handle.Add(common.Description());
+			file_handle.Add("ocsp");
+
+			string file_id = file_mgr->HashHandle(file_handle.Description());
+
+			file_mgr->DataIn(reinterpret_cast<const u_char*>(response.data()),
+			                 response.length(), bro_analyzer()->GetAnalyzerTag(),
+			                 bro_analyzer()->Conn(), false, file_id, "application/ocsp-response");
+
 			BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
 							    bro_analyzer()->Conn(), ${rec.is_orig},
 							    new StringVal(response.length(),
 							    (const char*) response.data()));
+
+			file_mgr->EndOfFile(file_id);
 			}
 
 		return true;
@@ -231,6 +281,24 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
+	function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
+		%{
+		RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
+		ha->Assign(0, new Val(digitally_signed_algorithms->HashAlgorithm(), TYPE_COUNT));
+		ha->Assign(1, new Val(digitally_signed_algorithms->SignatureAlgorithm(), TYPE_COUNT));
+
+		BifEvent::generate_ssl_extension_signed_certificate_timestamp(bro_analyzer(),
+			bro_analyzer()->Conn(), ${rec.is_orig},
+			version,
+			new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
+			timestamp,
+			ha,
+			new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
+		);
+
+		return true;
+		%}
+
 	function proc_dh_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
 		%{
 		BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
@@ -251,7 +319,6 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
-
 };
 
 refine typeattr ClientHello += &let {
@@ -329,7 +396,18 @@ refine typeattr DhServerKeyExchange += &let {
 	proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys);
 };
 
+refine typeattr SupportedVersions += &let {
+	proc : bool = $context.connection.proc_supported_versions(rec, versions);
+};
+
+refine typeattr PSKKeyExchangeModes += &let {
+	proc : bool = $context.connection.proc_psk_key_exchange_modes(rec, modes);
+};
+
 refine typeattr Handshake += &let {
 	proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length);
 };
 
+refine typeattr SignedCertificateTimestamp += &let {
+	proc : bool = $context.connection.proc_signedcertificatetimestamp(rec, version, logid, timestamp, digitally_signed_algorithms, digitally_signed_signature);
+};
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index da01a27f1d..6a1988111e 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -485,11 +485,26 @@ type SSLExtension(rec: HandshakeRecord) = record {
 #		EXT_STATUS_REQUEST -> status_request: StatusRequest(rec)[] &until($element == 0 || $element != 0);
 		EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0);
 		EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
+		EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0);
 		EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0);
+		EXT_SUPPORTED_VERSIONS -> supported_versions: SupportedVersions(rec)[] &until($element == 0 || $element != 0);
+		EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
 		default -> data: bytestring &restofdata;
 	};
 } &length=data_len+4 &exportsourcedata;
 
+%include tls-handshake-signed_certificate_timestamp.pac
+
+type SupportedVersions(rec: HandshakeRecord) = record {
+	length: uint8;
+	versions: uint16[] &until($input.length() == 0);
+} &length=length+1;
+
+type PSKKeyExchangeModes(rec: HandshakeRecord) = record {
+	length: uint8;
+	modes: uint8[] &until($input.length() == 0);
+} &length=length+1;
+
 type ServerNameHostName() = record {
 	length: uint16;
 	host_name: bytestring &length=length;
@@ -551,11 +566,6 @@ type KeyShare(rec: HandshakeRecord) = case rec.msg_type of {
 	default -> other : bytestring &restofdata &transient;
 };
 
-type SignatureAndHashAlgorithm() = record {
-	HashAlgorithm: uint8;
-	SignatureAlgorithm: uint8;
-}
-
 type SignatureAlgorithm(rec: HandshakeRecord) = record {
 	length: uint16;
 	supported_signature_algorithms: SignatureAndHashAlgorithm[] &until($input.length() == 0);
diff --git a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
new file mode 100644
index 0000000000..f921db0790
--- /dev/null
+++ b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
@@ -0,0 +1,28 @@
+# We keep this extension separate, because it also can be included in X.509 certificates.
+# If included there, it uses the exact same syntax and we just symlink it from the X.509
+# file analyzer tree.
+
+type SignatureAndHashAlgorithm() = record {
+	HashAlgorithm: uint8;
+	SignatureAlgorithm: uint8;
+}
+
+type SignedCertificateTimestampList(rec: HandshakeRecord) = record {
+	length: uint16;
+	SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0);
+} &length=length+2;
+
+type SignedCertificateTimestamp(rec: HandshakeRecord) = record {
+	# before - framing
+	length: uint16;
+	# from here: SignedCertificateTimestamp
+	version: uint8;
+	logid: bytestring &length=32;
+	timestamp: uint64;
+	extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them
+	extensions: bytestring &length=extensions_length;
+	digitally_signed_algorithms: SignatureAndHashAlgorithm;
+	digitally_signed_signature_length: uint16;
+	digitally_signed_signature: bytestring &length=digitally_signed_signature_length;
+} &length=length+2;
+
diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
index 3240b57bb3..5253ce050b 100644
--- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
+++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
@@ -11,6 +11,11 @@ refine connection XMPP_Conn += {
 	function proc_xmpp_token(is_orig: bool, name: bytestring, rest: bytestring): bool
 		%{
 		string token = std_str(name);
+		// Result will either be text after ":" or original string; this discards the namespace
+		string token_no_ns = std_str(name);
+		auto offset = token_no_ns.find(":");
+		if ( offset != std::string::npos && token_no_ns.length() > offset + 1 )
+			token_no_ns = token_no_ns.substr(offset + 1);
 
 		if ( is_orig && token == "stream:stream" )
 			// Yup, looks like xmpp...
@@ -21,10 +26,10 @@ refine connection XMPP_Conn += {
 			// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
 			bro_analyzer()->SetSkip(true);
 
-		if ( is_orig && token == "starttls" )
+		if ( is_orig && ( token == "starttls" || token_no_ns == "starttls" ) )
 			client_starttls = true;
 
-		if ( !is_orig && token == "proceed" && client_starttls )
+		if ( !is_orig && ( token == "proceed" || token_no_ns == "proceed" ) && client_starttls )
 			{
 			bro_analyzer()->StartTLS();
 			BifEvent::generate_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn());
@@ -32,7 +37,7 @@ refine connection XMPP_Conn += {
 		else if ( !is_orig && token == "proceed" )
 			reporter->Weird(bro_analyzer()->Conn(), "XMPP: proceed without starttls");
 
-		//printf("Processed: %d %s %s \n", is_orig, c_str(name), c_str(rest));
+		// printf("Processed: %d %s %s %s \n", is_orig, c_str(name), c_str(rest), token_no_ns.c_str());
 
 		return true;
 		%}
diff --git a/src/analyzer/protocol/zip/CMakeLists.txt b/src/analyzer/protocol/zip/CMakeLists.txt
index 814119f9f7..40c64afd6e 100644
--- a/src/analyzer/protocol/zip/CMakeLists.txt
+++ b/src/analyzer/protocol/zip/CMakeLists.txt
@@ -5,5 +5,4 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro ZIP)
 bro_plugin_cc(ZIP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/zip/ZIP.cc b/src/analyzer/protocol/zip/ZIP.cc
index d14df95673..d44c6353cd 100644
--- a/src/analyzer/protocol/zip/ZIP.cc
+++ b/src/analyzer/protocol/zip/ZIP.cc
@@ -2,8 +2,6 @@
 
 #include "ZIP.h"
 
-#include "events.bif.h"
-
 using namespace analyzer::zip;
 
 ZIP_Analyzer::ZIP_Analyzer(Connection* conn, bool orig, Method arg_method)
diff --git a/src/analyzer/protocol/zip/events.bif b/src/analyzer/protocol/zip/events.bif
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/src/bro.bif b/src/bro.bif
index b23a673634..852f806230 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -1029,7 +1029,7 @@ function clear_table%(v: any%): any
 	return 0;
 	%}
 
-## Gets all subnets that contain a given subnet from a set/table[subnet]
+## Gets all subnets that contain a given subnet from a set/table[subnet].
 ##
 ## search: the subnet to search for.
 ##
@@ -1047,8 +1047,8 @@ function matching_subnets%(search: subnet, t: any%): subnet_vec
 	return t->AsTableVal()->LookupSubnets(search);
 	%}
 
-## For a set[subnet]/table[subnet], create a new table that contains all entries that
-## contain a given subnet.
+## For a set[subnet]/table[subnet], create a new table that contains all entries
+## that contain a given subnet.
 ##
 ## search: the subnet to search for.
 ##
@@ -1067,7 +1067,7 @@ function filter_subnet_table%(search: subnet, t: any%): any
 	%}
 
 ## Checks if a specific subnet is a member of a set/table[subnet].
-## In difference to the ``in`` operator, this performs an exact match, not
+## In contrast to the ``in`` operator, this performs an exact match, not
 ## a longest prefix match.
 ##
 ## search: the subnet to search for.
@@ -1994,7 +1994,7 @@ function is_v6_addr%(a: addr%): bool
 ##
 ## s: the subnet to check.
 ##
-## Returns: true if *a* is an IPv4 subnet, else false.
+## Returns: true if *s* is an IPv4 subnet, else false.
 function is_v4_subnet%(s: subnet%): bool
 	%{
 	if ( s->AsSubNet().Prefix().GetFamily() == IPv4 )
@@ -2007,7 +2007,7 @@ function is_v4_subnet%(s: subnet%): bool
 ##
 ## s: the subnet to check.
 ##
-## Returns: true if *a* is an IPv6 subnet, else false.
+## Returns: true if *s* is an IPv6 subnet, else false.
 function is_v6_subnet%(s: subnet%): bool
 	%{
 	if ( s->AsSubNet().Prefix().GetFamily() == IPv6 )
@@ -2311,7 +2311,7 @@ function to_subnet%(sn: string%): subnet
 ##
 ## a: The address to convert.
 ##
-## Returns: The *a* address as a :bro:type:`subnet`.
+## Returns: The address as a :bro:type:`subnet`.
 ##
 ## .. bro:see:: to_subnet
 function addr_to_subnet%(a: addr%): subnet
@@ -2320,12 +2320,12 @@ function addr_to_subnet%(a: addr%): subnet
 	return new SubNetVal(a->AsAddr(), width);
 	%}
 
-## Converts a :bro:type:`subnet` to a :bro:type:`addr` by
+## Converts a :bro:type:`subnet` to an :bro:type:`addr` by
 ## extracting the prefix.
 ##
-## s: The subnet to convert.
+## sn: The subnet to convert.
 ##
-## Returns: The *s* subnet as a :bro:type:`addr`.
+## Returns: The subnet as an :bro:type:`addr`.
 ##
 ## .. bro:see:: to_subnet
 function subnet_to_addr%(sn: subnet%): addr
@@ -2335,7 +2335,7 @@ function subnet_to_addr%(sn: subnet%): addr
 
 ## Returns the width of a :bro:type:`subnet`.
 ##
-## s: The subnet to convert.
+## sn: The subnet.
 ##
 ## Returns: The width of the subnet.
 ##
@@ -3343,7 +3343,7 @@ function dump_packet%(pkt: pcap_packet, file_name: string%) : bool
 
 	if ( addl_pkt_dumper )
 		{
-		struct timeval ts;
+		pkt_timeval ts;
 		uint32 caplen, len, link_type;
 		u_char *data;
 
@@ -4039,6 +4039,7 @@ function set_inactivity_timeout%(cid: conn_id, t: interval%): interval
 ##
 ## .. bro:see:: active_file open_for_append close write_file
 ##              get_file_name set_buf flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function open%(f: string%): file
 	%{
 	const char* file = f->CheckString();
@@ -4058,6 +4059,7 @@ function open%(f: string%): file
 ##
 ## .. bro:see:: active_file open close write_file
 ##              get_file_name set_buf flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function open_for_append%(f: string%): file
 	%{
 	return new Val(new BroFile(f->CheckString(), "a"));
@@ -4071,6 +4073,7 @@ function open_for_append%(f: string%): file
 ##
 ## .. bro:see:: active_file open open_for_append write_file
 ##              get_file_name set_buf flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function close%(f: file%): bool
 	%{
 	return new Val(f->Close(), TYPE_BOOL);
@@ -4086,6 +4089,7 @@ function close%(f: file%): bool
 ##
 ## .. bro:see:: active_file open open_for_append close
 ##              get_file_name set_buf flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function write_file%(f: file, data: string%): bool
 	%{
 	if ( ! f )
@@ -4106,6 +4110,7 @@ function write_file%(f: file, data: string%): bool
 ##
 ## .. bro:see:: active_file open open_for_append close
 ##              get_file_name write_file flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function set_buf%(f: file, buffered: bool%): any
 	%{
 	f->SetBuf(buffered);
@@ -4118,6 +4123,7 @@ function set_buf%(f: file, buffered: bool%): any
 ##
 ## .. bro:see:: active_file open open_for_append close
 ##              get_file_name write_file set_buf mkdir enable_raw_output
+##              rmdir unlink rename
 function flush_all%(%): bool
 	%{
 	return new Val(fflush(0) == 0, TYPE_BOOL);
@@ -4127,17 +4133,102 @@ function flush_all%(%): bool
 ##
 ## f: The directory name.
 ##
-## Returns: Returns true if the operation succeeds or if *f* already exists,
+## Returns: True if the operation succeeds or if *f* already exists,
 ##          and false if the file creation fails.
 ##
 ## .. bro:see:: active_file open_for_append close write_file
 ##              get_file_name set_buf flush_all enable_raw_output
+##              rmdir unlink rename
 function mkdir%(f: string%): bool
 	%{
 	const char* filename = f->CheckString();
-	if ( mkdir(filename, 0777) < 0 && errno != EEXIST )
+
+	if ( mkdir(filename, 0777) < 0 )
 		{
-		builtin_error("cannot create directory", @ARG@[0]);
+		int error = errno;
+		struct stat filestat;
+		// check if already exists and is directory.
+		if ( errno == EEXIST && stat(filename, &filestat) == 0
+		     && S_ISDIR(filestat.st_mode) )
+			return new Val(1, TYPE_BOOL);
+
+		builtin_error(fmt("cannot create directory '%s': %s", filename,
+		                  strerror(error)));
+		return new Val(0, TYPE_BOOL);
+		}
+	else
+		return new Val(1, TYPE_BOOL);
+	%}
+
+
+## Removes a directory.
+##
+## d: The directory name.
+##
+## Returns: True if the operation succeeds, and false if the
+##          directory delete operation fails.
+##
+## .. bro:see:: active_file open_for_append close write_file
+##              get_file_name set_buf flush_all enable_raw_output
+##              mkdir unlink rename
+function rmdir%(d: string%): bool
+	%{
+	const char* dirname = d->CheckString();
+
+	if ( rmdir(dirname) < 0 )
+		{
+		builtin_error(fmt("cannot remove directory '%s': %s", dirname,
+		                  strerror(errno)));
+		return new Val(0, TYPE_BOOL);
+		}
+	else
+		return new Val(1, TYPE_BOOL);
+	%}
+
+## Removes a file from a directory.
+##
+## f: the file to delete.
+##
+## Returns: True if the operation succeeds and the file was deleted,
+##          and false if the deletion fails.
+##
+## .. bro:see:: active_file open_for_append close write_file
+##              get_file_name set_buf flush_all enable_raw_output
+##              mkdir rmdir rename
+function unlink%(f: string%): bool
+	%{
+	const char* filename = f->CheckString();
+
+	if ( unlink(filename) < 0 )
+		{
+		builtin_error(fmt("cannot unlink file '%s': %s", filename,
+		                  strerror(errno)));
+		return new Val(0, TYPE_BOOL);
+		}
+	else
+		return new Val(1, TYPE_BOOL);
+	%}
+
+## Renames a file from src_f to dst_f.
+##
+## src_f: the name of the file to rename.
+##
+## dest_f: the name of the file after the rename operation.
+##
+## Returns: True if the rename succeeds and false otherwise.
+##
+## .. bro:see:: active_file open_for_append close write_file
+##              get_file_name set_buf flush_all enable_raw_output
+##              mkdir rmdir unlink
+function rename%(src_f: string, dst_f: string%): bool
+	%{
+	const char* src_filename = src_f->CheckString();
+	const char* dst_filename = dst_f->CheckString();
+
+	if ( rename(src_filename, dst_filename) < 0 )
+		{
+		builtin_error(fmt("cannot rename file '%s' to '%s': %s", src_filename,
+		                  dst_filename, strerror(errno)));
 		return new Val(0, TYPE_BOOL);
 		}
 	else
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index bc4197a974..6420144193 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -709,3 +709,435 @@ bool bro_broker::DataVal::DoUnserialize(UnserialInfo* info)
 	delete [] serial;
 	return true;
 	}
+
+static broker::util::optional<broker::data> threading_val_to_data_internal(TypeTag type, const threading::Value::_val& val)
+	{
+	switch ( type ) {
+	case TYPE_BOOL:
+	        return {val.int_val != 0};
+
+	case TYPE_INT:
+	        return {val.int_val};
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+	        return {val.uint_val};
+
+	case TYPE_PORT:
+		return {broker::port(val.port_val.port, to_broker_port_proto(val.port_val.proto))};
+
+	case TYPE_ADDR:
+		{
+		IPAddr a;
+
+		switch ( val.addr_val.family ) {
+		case IPv4:
+			a = IPAddr(val.addr_val.in.in4);
+			break;
+
+		case IPv6:
+			a = IPAddr(val.addr_val.in.in6);
+			break;
+
+		default:
+			reporter->InternalError("unsupported protocol family in threading_val_to_data");
+		}
+
+		in6_addr tmp;
+		a.CopyIPv6(&tmp);
+		return {broker::address(reinterpret_cast<const uint32_t*>(&tmp),
+					broker::address::family::ipv6,
+					broker::address::byte_order::network)};
+		}
+
+	case TYPE_SUBNET:
+		{
+		IPAddr a;
+		int length;
+
+		switch ( val.subnet_val.prefix.family ) {
+		case IPv4:
+			a = IPAddr(val.subnet_val.prefix.in.in4);
+			length = (val.subnet_val.length - 96);
+			break;
+
+		case IPv6:
+			a = IPAddr(val.subnet_val.prefix.in.in6);
+			length = val.subnet_val.length;
+			break;
+
+		default:
+			reporter->InternalError("unsupported protocol family in threading_val_to_data");
+		}
+
+		in6_addr tmp;
+		a.CopyIPv6(&tmp);
+
+		auto s = broker::address(reinterpret_cast<const uint32_t*>(&tmp),
+		                         broker::address::family::ipv6,
+		                         broker::address::byte_order::network);
+		return {broker::subnet(s, length)};
+		}
+
+	case TYPE_DOUBLE:
+	        return {val.double_val};
+
+	case TYPE_TIME:
+		return {broker::time_point(val.double_val)};
+
+	case TYPE_INTERVAL:
+		return {broker::time_duration(val.double_val)};
+
+	case TYPE_ENUM:
+		return {broker::enum_value(std::string(val.string_val.data, val.string_val.length))};
+
+	case TYPE_STRING:
+	case TYPE_FILE:
+	case TYPE_FUNC:
+		return {std::string(val.string_val.data, val.string_val.length)};
+
+	case TYPE_TABLE:
+		{
+		auto s = broker::set();
+
+		for ( int i = 0; i < val.set_val.size; ++i )
+			{
+			auto c = bro_broker::threading_val_to_data(val.set_val.vals[i]);
+
+			if ( ! c )
+				return {};
+
+			s.emplace(*c);
+			}
+
+		return {move(s)};
+		}
+
+	case TYPE_VECTOR:
+		{
+		auto s = broker::vector();
+
+		for ( int i = 0; i < val.vector_val.size; ++i )
+			{
+			auto c = bro_broker::threading_val_to_data(val.vector_val.vals[i]);
+
+			if ( ! c )
+				return {};
+
+			s.emplace_back(*c);
+			}
+
+		return {move(s)};
+		}
+
+	default:
+		reporter->InternalError("unsupported type %s in threading_val_to_data",
+		                        type_name(type));
+	}
+
+	return {};
+	}
+
+
+broker::util::optional<broker::data> bro_broker::threading_val_to_data(const threading::Value* v)
+	{
+	broker::util::optional<broker::data> d;
+
+	if ( v->present )
+		{
+		d = threading_val_to_data_internal(v->type, v->val);
+
+		if ( ! d )
+			return {};
+		}
+
+	auto type = broker::record::field(static_cast<uint64_t>(v->type));
+	auto present = broker::record::field(v->present);
+	auto data = (v->present) ? broker::record::field(*d) : broker::util::optional<broker::data>();
+
+	return {broker::record({move(type), move(present), move(data)})};
+	};
+
+struct threading_val_converter {
+	using result_type = bool;
+
+	TypeTag type;
+	threading::Value::_val& val;
+
+	result_type operator()(bool a)
+		{
+		if ( type == TYPE_BOOL )
+			{
+			val.int_val = (a ? 1 : 0);
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(uint64_t a)
+		{
+		if ( type == TYPE_COUNT || type == TYPE_COUNTER )
+			{
+			val.uint_val = a;
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(int64_t a)
+		{
+		if ( type == TYPE_INT )
+			{
+			val.int_val = a;
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(double a)
+		{
+		if ( type == TYPE_DOUBLE )
+			{
+			val.double_val = a;
+			return true;
+			}
+
+		return false;
+		}
+
+
+	result_type operator()(const std::string& a)
+		{
+		if ( type == TYPE_STRING || type == TYPE_FILE || type == TYPE_FUNC )
+			{
+			auto n = a.size();
+			val.string_val.length = n;
+			val.string_val.data = new char[n];
+			memcpy(val.string_val.data, a.data(), n);
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::address& a)
+		{
+		if ( type == TYPE_ADDR )
+			{
+			auto bits = reinterpret_cast<const in6_addr*>(&a.bytes());
+			auto b = IPAddr(*bits);
+
+			if ( a.is_v4() )
+				{
+				val.addr_val.family = IPv4;
+				b.CopyIPv4(&val.addr_val.in.in4);
+				return true;
+				}
+
+			if ( a.is_v6() )
+				{
+				val.addr_val.family = IPv6;
+				b.CopyIPv6(&val.addr_val.in.in6);
+				return true;
+				}
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::subnet& s)
+		{
+		if ( type == TYPE_SUBNET )
+			{
+			auto bits = reinterpret_cast<const in6_addr*>(&s.network().bytes());
+			auto a = IPAddr(*bits);
+
+			val.subnet_val.length = s.length();
+
+			if ( s.network().is_v4() )
+				{
+				val.subnet_val.prefix.family = IPv4;
+				a.CopyIPv4(&val.subnet_val.prefix.in.in4);
+				val.subnet_val.length += 96;
+				return true;
+				}
+
+			if ( s.network().is_v6() )
+				{
+				val.subnet_val.prefix.family = IPv6;
+				a.CopyIPv6(&val.subnet_val.prefix.in.in6);
+				return true;
+				}
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::port& a)
+		{
+		if ( type == TYPE_PORT )
+			{
+			val.port_val.port = a.number();
+			val.port_val.proto = bro_broker::to_bro_port_proto(a.type());
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::time_point& a)
+		{
+		if ( type == TYPE_TIME )
+			{
+			val.double_val = a.value;
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::time_duration& a)
+		{
+		if ( type == TYPE_INTERVAL )
+			{
+			val.double_val = a.value;
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::enum_value& a)
+		{
+		if ( type == TYPE_ENUM )
+			{
+			auto n = a.name.size();
+			val.string_val.length = n;
+			val.string_val.data = new char[n];
+			memcpy(val.string_val.data, a.name.data(), n);
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::set& a)
+		{
+		if ( type == TYPE_TABLE )
+			{
+			val.set_val.size = a.size();
+			val.set_val.vals = new threading::Value* [val.set_val.size];
+
+			auto p = val.set_val.vals;
+
+			for ( auto& i : a )
+				*p++ = bro_broker::data_to_threading_val(move(i));
+
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::table& a)
+		{
+		return false;
+		}
+
+	result_type operator()(const broker::vector& a)
+		{
+		if ( type == TYPE_VECTOR )
+			{
+			val.vector_val.size = a.size();
+			val.vector_val.vals = new threading::Value* [val.vector_val.size];
+
+			auto p = val.vector_val.vals;
+
+			for ( auto& i : a )
+				*p++ = bro_broker::data_to_threading_val(move(i));
+
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::record& a)
+		{
+		return false;
+		}
+};
+
+threading::Value* bro_broker::data_to_threading_val(broker::data d)
+	{
+	auto r = broker::get<broker::record>(d);
+
+	if ( ! r )
+		return nullptr;
+
+	auto type = broker::get<uint64_t>(*r->get(0));
+	auto present = broker::get<bool>(*r->get(1));
+	auto data = r->get(2);
+
+	if ( ! (type && present) )
+		return nullptr;
+
+	if ( *present && ! data )
+		return nullptr;
+
+	auto tv = new threading::Value;
+	tv->type = static_cast<TypeTag>(*type);
+	tv->present = *present;
+
+	if ( *present && ! broker::visit(threading_val_converter{tv->type, tv->val}, *data) )
+		{
+		delete tv;
+		return nullptr;
+		}
+
+	return tv;
+	}
+
+broker::data bro_broker::threading_field_to_data(const threading::Field* f)
+	{
+	auto name = broker::record::field(f->name);
+	auto type = broker::record::field(static_cast<uint64_t>(f->type));
+	auto subtype = broker::record::field(static_cast<uint64_t>(f->subtype));
+	auto optional = broker::record::field(f->optional);
+
+	broker::util::optional<broker::data> secondary;
+
+	if ( f->secondary_name )
+		secondary = {f->secondary_name};
+
+	return move(broker::record({name, secondary, type, subtype, optional}));
+	}
+
+threading::Field* bro_broker::data_to_threading_field(broker::data d)
+	{
+	auto r = broker::get<broker::record>(d);
+
+	if ( ! r )
+		return nullptr;
+
+	auto name = broker::get<std::string>(*r->get(0));
+	auto secondary = r->get(1);
+	auto type = broker::get<uint64_t>(*r->get(2));
+	auto subtype = broker::get<uint64_t>(*r->get(3));
+	auto optional = broker::get<bool>(*r->get(4));
+
+	if ( ! (name && type && subtype && optional) )
+		return nullptr;
+
+	if ( secondary && ! broker::is<std::string>(*secondary) )
+		return nullptr;
+
+	return new threading::Field(name->c_str(),
+				    secondary ? broker::get<std::string>(*secondary)->c_str() : nullptr,
+				    static_cast<TypeTag>(*type),
+				    static_cast<TypeTag>(*subtype),
+				    *optional);
+	}
diff --git a/src/broker/Data.h b/src/broker/Data.h
index 0045ad58ad..526304b00c 100644
--- a/src/broker/Data.h
+++ b/src/broker/Data.h
@@ -61,6 +61,36 @@ broker::util::optional<broker::data> val_to_data(Val* v);
  */
 Val* data_to_val(broker::data d, BroType* type, bool require_log_attr = false);
 
+/**
+ * Convert a Bro threading::Value to a Broker data value.
+ * @param v a Bro threading::Value.
+ * @return a Broker data value if the Bro threading::Value could be converted to one.
+ */
+broker::util::optional<broker::data> threading_val_to_data(const threading::Value* v);
+
+/**
+ * Convert a Bro threading::Field to a Broker data value.
+ * @param f a Bro threading::Field.
+ * @return a Broker data value if the Bro threading::Field could be converted to one.
+ */
+broker::data threading_field_to_data(const threading::Field* f);
+
+/**
+ * Convert a Broker data value to a Bro threading::Value.
+ * @param d a Broker data value.
+ * @return a pointer to a new Bro threading::Value or a nullptr if the conversion was not
+ * possible.
+ */
+threading::Value* data_to_threading_val(broker::data d);
+
+/**
+ * Convert a Broker data value to a Bro threading::Value.
+ * @param d a Broker data value.
+ * @return a pointer to a new Bro threading::Value or a nullptr if the conversion was not
+ * possible.
+ */
+threading::Field* data_to_threading_field(broker::data d);
+
 /**
  * A Bro value which wraps a Broker data value.
  */
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 334b7f84f5..eebcd2792f 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -20,10 +20,17 @@ using namespace std;
 
 VectorType* bro_broker::Manager::vector_of_data_type;
 EnumType* bro_broker::Manager::log_id_type;
+EnumType* bro_broker::Manager::writer_id_type;
 int bro_broker::Manager::send_flags_self_idx;
 int bro_broker::Manager::send_flags_peers_idx;
 int bro_broker::Manager::send_flags_unsolicited_idx;
 
+struct unref_guard {
+	unref_guard(Val* v) : val(v) {}
+	~unref_guard() { Unref(val); }
+	Val* val;
+};
+
 bro_broker::Manager::Manager()
 	: iosource::IOSource(), next_timestamp(-1)
 	{
@@ -83,6 +90,7 @@ bool bro_broker::Manager::Enable(Val* broker_endpoint_flags)
 	send_flags_unsolicited_idx = require_field(send_flags_type, "unsolicited");
 
 	log_id_type = internal_type("Log::ID")->AsEnumType();
+	writer_id_type = internal_type("Log::Writer")->AsEnumType();
 
 	bro_broker::opaque_of_data_type = new OpaqueType("Broker::Data");
 	bro_broker::opaque_of_set_iterator = new OpaqueType("Broker::SetIterator");
@@ -206,8 +214,10 @@ bool bro_broker::Manager::Event(std::string topic, broker::message msg, int flag
 	return true;
 	}
 
-bool bro_broker::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* info,
-                        int flags)
+bool bro_broker::Manager::CreateLog(EnumVal* stream, EnumVal* writer,
+				    const logging::WriterBackend::WriterInfo& info,
+				    int num_fields, const threading::Field* const * fields,
+				    int flags, const string& peer)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -221,40 +231,82 @@ bool bro_broker::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* i
 		return false;
 		}
 
-	broker::record column_data;
+	auto writer_name = writer->Type()->AsEnumType()->Lookup(writer->AsEnum());
 
-	for ( auto i = 0u; i < static_cast<size_t>(info->NumFields()); ++i )
+	if ( ! writer_name )
 		{
-		if ( ! info->FieldDecl(i)->FindAttr(ATTR_LOG) )
-			continue;
+		reporter->Error("Failed to remotely log: writer %d doesn't have name",
+		                writer->AsEnum());
+		return false;
+		}
 
-		auto field_val = columns->LookupWithDefault(i);
+	auto writer_info = info.ToBroker();
 
-		if ( ! field_val )
-			{
-			column_data.fields.emplace_back(broker::record::field{});
-			continue;
-			}
+	broker::vector fields_data;
 
-		auto opt_field_data = val_to_data(field_val);
-		Unref(field_val);
+	for ( auto i = 0; i < num_fields; ++i )
+		{
+		auto field_data = threading_field_to_data(fields[i]);
+		fields_data.push_back(move(field_data));
+		}
 
-		if ( ! opt_field_data )
+	// TODO: If peer is given, send message to just that one destination.
+
+	std::string topic = std::string("bro/log/") + stream_name;
+	auto bstream_name = broker::enum_value(move(stream_name));
+	auto bwriter_name = broker::enum_value(move(writer_name));
+	broker::message msg{move("create"), move(bstream_name), move(bwriter_name), move(writer_info), move(fields_data)};
+	endpoint->send(move(topic), move(msg), flags);
+
+	return true;
+	}
+
+bool bro_broker::Manager::Log(EnumVal* stream, EnumVal* writer, string path, int num_vals, const threading::Value* const * vals, int flags)
+	{
+	if ( ! Enabled() )
+		return false;
+
+	auto stream_name = stream->Type()->AsEnumType()->Lookup(stream->AsEnum());
+
+	if ( ! stream_name )
+		{
+		reporter->Error("Failed to remotely log: stream %d doesn't have name",
+		                stream->AsEnum());
+		return false;
+		}
+
+	auto writer_name = writer->Type()->AsEnumType()->Lookup(writer->AsEnum());
+
+	if ( ! writer_name )
+		{
+		reporter->Error("Failed to remotely log: writer %d doesn't have name",
+		                writer->AsEnum());
+		return false;
+		}
+
+	broker::vector vals_data;
+
+	for ( auto i = 0; i < num_vals; ++i )
+		{
+		auto field_data = threading_val_to_data(vals[i]);
+
+		if ( ! field_data )
 			{
 			reporter->Error("Failed to remotely log stream %s: "
-			                "unsupported type '%s'",
-			                stream_name,
-			                type_name(info->FieldDecl(i)->type->Tag()));
+			                "unsupported type for field #%d",
+			                stream_name, i);
 			return false;
 			}
 
-		column_data.fields.emplace_back(
-		            broker::record::field{move(*opt_field_data)});
+		vals_data.push_back(move(*field_data));
 		}
 
-	broker::message msg{broker::enum_value{stream_name}, move(column_data)};
 	std::string topic = std::string("bro/log/") + stream_name;
+	auto bstream_name = broker::enum_value(move(stream_name));
+	auto bwriter_name = broker::enum_value(move(writer_name));
+	broker::message msg{move("write"), move(bstream_name), move(bwriter_name), move(path), move(vals_data)};
 	endpoint->send(move(topic), move(msg), flags);
+
 	return true;
 	}
 
@@ -639,6 +691,8 @@ void bro_broker::Manager::Process()
 		{
 		switch ( u.status ) {
 		case broker::outgoing_connection_status::tag::established:
+			log_mgr->SendAllWritersTo(u.peer_name);
+
 			if ( Broker::outgoing_connection_established )
 				{
 				val_list* vl = new val_list;
@@ -684,6 +738,8 @@ void bro_broker::Manager::Process()
 		{
 		switch ( u.status ) {
 		case broker::incoming_connection_status::tag::established:
+			log_mgr->SendAllWritersTo(u.peer_name);
+
 			if ( Broker::incoming_connection_established )
 				{
 				val_list* vl = new val_list;
@@ -809,12 +865,6 @@ void bro_broker::Manager::Process()
 			}
 		}
 
-	struct unref_guard {
-		unref_guard(Val* v) : val(v) {}
-		~unref_guard() { Unref(val); }
-		Val* val;
-	};
-
 	for ( auto& ls : log_subscriptions )
 		{
 		auto log_messages = ls.second.q.want_pop();
@@ -826,59 +876,19 @@ void bro_broker::Manager::Process()
 
 		for ( auto& lm : log_messages )
 			{
-			if ( lm.size() != 2 )
+			if ( lm.size() < 1 )
 				{
-				reporter->Warning("got bad remote log size: %zd (expect 2)",
-				                  lm.size());
+				reporter->Warning("got bad remote log message, no type field");
 				continue;
 				}
 
-			if ( ! broker::get<broker::enum_value>(lm[0]) )
-				{
-				reporter->Warning("got remote log w/o stream id: %d",
-				                  static_cast<int>(broker::which(lm[0])));
-				continue;
-				}
-
-			if ( ! broker::get<broker::record>(lm[1]) )
-				{
-				reporter->Warning("got remote log w/o columns: %d",
-				                  static_cast<int>(broker::which(lm[1])));
-				continue;
-				}
-
-			auto stream_id = data_to_val(move(lm[0]), log_id_type);
-
-			if ( ! stream_id )
-				{
-				reporter->Warning("failed to unpack remote log stream id");
-				continue;
-				}
-
-			unref_guard stream_id_unreffer{stream_id};
-			auto columns_type = log_mgr->StreamColumns(stream_id->AsEnumVal());
-
-			if ( ! columns_type )
-				{
-				reporter->Warning("got remote log for unknown stream: %s",
-				                  stream_id->Type()->AsEnumType()->Lookup(
-				                      stream_id->AsEnum()));
-				continue;
-				}
-
-			auto columns = data_to_val(move(lm[1]), columns_type, true);
-
-			if ( ! columns )
-				{
-				reporter->Warning("failed to unpack remote log stream columns"
-				                  " for stream: %s",
-				                  stream_id->Type()->AsEnumType()->Lookup(
-				                      stream_id->AsEnum()));
-				continue;
-				}
-
-			log_mgr->Write(stream_id->AsEnumVal(), columns->AsRecordVal());
-			Unref(columns);
+			if ( lm[0] == "create" )
+				ProcessCreateLog(std::move(lm));
+			else if ( lm[0] == "write" )
+				ProcessWriteLog(std::move(lm));
+			else
+				reporter->Warning("got remote log w/o known type: %d",
+						  static_cast<int>(broker::which(lm[0])));
 			}
 		}
 
@@ -979,6 +989,202 @@ void bro_broker::Manager::Process()
 	next_timestamp = -1;
 	}
 
+bool bro_broker::Manager::ProcessCreateLog(broker::message msg)
+	{
+	if ( msg.size() != 5 )
+		{
+		reporter->Warning("got bad remote log create size: %zd (expected 5)",
+				  msg.size());
+		return false;
+		}
+
+	unsigned int idx = 1; // Skip type at index 0.
+
+	// Get stream ID.
+
+	if ( ! broker::get<broker::enum_value>(msg[idx]) )
+		{
+		reporter->Warning("got remote log create w/o stream id: %d",
+				  static_cast<int>(broker::which(msg[idx])));
+		return false;
+		}
+
+	auto stream_id = data_to_val(move(msg[idx]), log_id_type);
+
+	if ( ! stream_id )
+		{
+		reporter->Warning("failed to unpack remote log stream id");
+		return false;
+		}
+
+	unref_guard stream_id_unreffer{stream_id};
+	++idx;
+
+	// Get writer ID.
+
+	if ( ! broker::get<broker::enum_value>(msg[idx]) )
+		{
+		reporter->Warning("got remote log create w/o writer id: %d",
+				  static_cast<int>(broker::which(msg[idx])));
+		return false;
+		}
+
+	auto writer_id = data_to_val(move(msg[idx]), writer_id_type);
+
+	if ( ! writer_id )
+		{
+		reporter->Warning("failed to unpack remote log writer id");
+		return false;
+		}
+
+	unref_guard writer_id_unreffer{writer_id};
+	++idx;
+
+	// Get writer info.
+
+	if ( ! broker::get<broker::record>(msg[idx]) )
+		{
+		reporter->Warning("got remote log create w/o writer info id: %d",
+				  static_cast<int>(broker::which(msg[idx])));
+		return false;
+		}
+
+	auto writer_info = std::unique_ptr<logging::WriterBackend::WriterInfo>(new logging::WriterBackend::WriterInfo);
+
+	if ( ! writer_info->FromBroker(std::move(msg[idx])) )
+		{
+		reporter->Warning("failed to unpack remote log writer info");
+		return false;
+		}
+
+	++idx;
+
+	// Get log fields.
+
+	auto fields_data = broker::get<broker::vector>(msg[idx]);
+
+	if ( ! fields_data )
+		{
+		reporter->Warning("failed to unpack remote log fields");
+		return false;
+		}
+
+	auto num_fields = fields_data->size();
+	auto fields = new threading::Field* [num_fields];
+
+	for ( auto i = 0u; i < num_fields; ++i )
+		{
+		if ( auto field = data_to_threading_field((*fields_data)[i]) )
+			fields[i] = field;
+		else
+			{
+			reporter->Warning("failed to convert remote log field # %d", i);
+			return false;
+			}
+		}
+
+	if ( ! log_mgr->CreateWriterForRemoteLog(stream_id->AsEnumVal(), writer_id->AsEnumVal(), writer_info.get(), num_fields, fields) )
+		{
+		ODesc d;
+		stream_id->Describe(&d);
+		reporter->Warning("failed to create remote log stream for %s locally", d.Description());
+		}
+
+	writer_info.release(); // log_mgr took ownership.
+	return true;
+	}
+
+bool bro_broker::Manager::ProcessWriteLog(broker::message msg)
+	{
+	if ( msg.size() != 5 )
+		{
+		reporter->Warning("got bad remote log size: %zd (expected 5)",
+				  msg.size());
+		return false;
+		}
+
+	unsigned int idx = 1; // Skip type at index 0.
+
+	// Get stream ID.
+
+	if ( ! broker::get<broker::enum_value>(msg[idx]) )
+		{
+		reporter->Warning("got remote log w/o stream id: %d",
+				  static_cast<int>(broker::which(msg[idx])));
+		return false;
+		}
+
+	auto stream_id = data_to_val(move(msg[idx]), log_id_type);
+
+	if ( ! stream_id )
+		{
+		reporter->Warning("failed to unpack remote log stream id");
+		return false;
+		}
+
+	unref_guard stream_id_unreffer{stream_id};
+	++idx;
+
+	// Get writer ID.
+
+	if ( ! broker::get<broker::enum_value>(msg[idx]) )
+		{
+		reporter->Warning("got remote log w/o writer id: %d",
+				  static_cast<int>(broker::which(msg[idx])));
+		return false;
+		}
+
+	auto writer_id = data_to_val(move(msg[idx]), writer_id_type);
+
+	if ( ! writer_id )
+		{
+		reporter->Warning("failed to unpack remote log writer id");
+		return false;
+		}
+
+	unref_guard writer_id_unreffer{writer_id};
+	++idx;
+
+	// Get path.
+
+	auto path = broker::get<std::string>(msg[idx]);
+
+	if ( ! path )
+		{
+		reporter->Warning("failed to unpack remote log path");
+		return false;
+		}
+
+	++idx;
+
+	// Get log values.
+
+	auto vals_data = broker::get<broker::vector>(msg[idx]);
+
+	if ( ! vals_data )
+		{
+		reporter->Warning("failed to unpack remote log values");
+		return false;
+		}
+
+	auto num_vals = vals_data->size();
+	auto vals = new threading::Value* [num_vals];
+
+	for ( auto i = 0u; i < num_vals; ++i )
+		{
+		if ( auto val = data_to_threading_val((*vals_data)[i]) )
+			vals[i] = val;
+		else
+			{
+			reporter->Warning("failed to convert remote log arg # %d", i);
+			return false;
+			}
+		}
+
+	log_mgr->WriteFromRemote(stream_id->AsEnumVal(), writer_id->AsEnumVal(), *path, num_vals, vals);
+	return true;
+	}
+
 bool bro_broker::Manager::AddStore(StoreHandleVal* handle)
 	{
 	if ( ! Enabled() )
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index 9fb7b9e328..d5701c56b1 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -156,15 +156,34 @@ public:
 	/**
 	 * Send a log entry to any interested peers.  The topic name used is
 	 * implicitly "bro/log/<stream-name>".
-	 * @param stream_id the stream to which the log entry belongs.
-	 * @param columns the data which comprises the log entry.
-	 * @param info the record type corresponding to the log's columns.
+	 * @param stream the stream to which the log entry belongs.
+	 * @param writer the writer to use for outputting this log entry.
+	 * @param path the log path to output the log entry to.
+	 * @param num_vals the number of fields to log.
+	 * @param vals the log values to log, of size num_vals.
 	 * @param flags tune the behavior of how the message is send.
 	 * See the Broker::SendFlags record type.
 	 * @return true if the message is sent successfully.
 	 */
-	bool Log(EnumVal* stream_id, RecordVal* columns, RecordType* info,
-	         int flags);
+	bool Log(EnumVal* stream, EnumVal* writer, string path, int num_vals,
+		 const threading::Value* const * vals, int flags);
+
+	/**
+	 * Send a message to create a log stream to any interested peers.
+	 * The log stream may or may not already exist on the receiving side.
+	 * The topic name used is implicitly "bro/log/<stream-name>".
+	 * @param stream the stream to which the log entry belongs.
+	 * @param writer the writer to use for outputting this log entry.
+	 * @param info backend initialization information for the writer.
+	 * @param num_fields the number of fields the log has.
+	 * @param fields the log's fields, of size num_fields.
+	 * @param flags tune the behavior of how the message is send.
+	 * See the Broker::SendFlags record type.
+	 * @param peer If given, send the message only to this peer.
+	 * @return true if the message is sent successfully.
+	 */
+	bool CreateLog(EnumVal* stream, EnumVal* writer, const logging::WriterBackend::WriterInfo& info,
+		       int num_fields, const threading::Field* const * fields, int flags, const string& peer = "");
 
 	/**
 	 * Automatically send an event to any interested peers whenever it is
@@ -325,7 +344,6 @@ public:
 	static int send_flags_to_int(Val* flags);
 
 private:
-
 	// IOSource interface overrides:
 	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
 	            iosource::FD_Set* except) override;
@@ -340,6 +358,9 @@ private:
 	broker::endpoint& Endpoint()
 		{ return *endpoint; }
 
+	bool ProcessCreateLog(broker::message msg);
+	bool ProcessWriteLog(broker::message msg);
+
 	struct QueueWithStats {
 		broker::message_queue q;
 		size_t received = 0;
@@ -360,6 +381,7 @@ private:
 
 	static VectorType* vector_of_data_type;
 	static EnumType* log_id_type;
+	static EnumType* writer_id_type;
 	static int send_flags_self_idx;
 	static int send_flags_peers_idx;
 	static int send_flags_unsolicited_idx;
diff --git a/src/broxygen/Manager.cc b/src/broxygen/Manager.cc
index 7e2a0067d5..9e33e6919b 100644
--- a/src/broxygen/Manager.cc
+++ b/src/broxygen/Manager.cc
@@ -6,7 +6,6 @@
 
 #include <utility>
 #include <cstdlib>
-#include <wordexp.h>
 
 using namespace broxygen;
 using namespace std;
@@ -61,27 +60,23 @@ Manager::Manager(const string& arg_config, const string& bro_command)
 	if ( getenv("BRO_DISABLE_BROXYGEN") )
 		disabled = true;
 
-	if ( disabled )
+	// If running bro without the "-X" option, then we don't need bro_mtime.
+	if ( disabled || arg_config.empty() )
 		return;
 
+	// Find the absolute or relative path to bro by checking each PATH
+	// component and also the current directory (so that this works if
+	// bro_command is a relative path).
 	const char* env_path = getenv("PATH");
 	string path = env_path ? string(env_path) + ":." : ".";
-	wordexp_t expanded_path;
-	wordexp(path.c_str(), &expanded_path, WRDE_NOCMD);
-	string path_to_bro;
-
-	if ( expanded_path.we_wordc == 1 )
-		path_to_bro = find_file(bro_command, expanded_path.we_wordv[0]);
-	else
-		{
-		reporter->InternalWarning("odd expansion of path: %s\n", path.c_str());
-		path_to_bro = find_file(bro_command, path);
-		}
-
+	string path_to_bro = find_file(bro_command, path);
 	struct stat s;
 
+	// One way that find_file() could fail is when bro is located in
+	// a PATH component that starts with a tilde (such as "~/bin").  A simple
+	// workaround is to just run bro with a relative or absolute path.
 	if ( path_to_bro.empty() || stat(path_to_bro.c_str(), &s) < 0 )
-		reporter->InternalError("Broxygen can't get mtime of bro binary %s: %s",
+		reporter->InternalError("Broxygen can't get mtime of bro binary %s (try again by specifying the absolute or relative path to Bro): %s",
 		                        path_to_bro.c_str(), strerror(errno));
 
 	bro_mtime = s.st_mtime;
diff --git a/src/file_analysis/Analyzer.h b/src/file_analysis/Analyzer.h
index dcb8434a6f..dfe9c795a8 100644
--- a/src/file_analysis/Analyzer.h
+++ b/src/file_analysis/Analyzer.h
@@ -123,6 +123,21 @@ public:
 	void SetGotStreamDelivery()
 		{ got_stream_delivery = true; }
 
+	/**
+	 * Signals that the analyzer is to skip all further input
+	 * processsing. This won't have an immediate effect internally, but
+	 * the flag can be queried through Skipping().
+	 *
+	 * @param do_skip If true, further processing will be skipped.
+	 */
+	void SetSkip(bool do_skip)		{ skip = do_skip; }
+
+	/**
+	 * Returns true if the analyzer has been told to skip processing all
+	 * further input.
+	 */
+	bool Skipping() const			{ return skip; }
+
 protected:
 
 	/**
@@ -136,7 +151,8 @@ protected:
 	    : tag(arg_tag),
 	      args(arg_args->Ref()->AsRecordVal()),
 	      file(arg_file),
-	      got_stream_delivery(false)
+	      got_stream_delivery(false),
+	      skip(false)
 		{
 		id = ++id_counter;
 		}
@@ -154,7 +170,8 @@ protected:
 	    : tag(),
 	      args(arg_args->Ref()->AsRecordVal()),
 	      file(arg_file),
-	      got_stream_delivery(false)
+	      got_stream_delivery(false),
+	      skip(false)
 		{
 		id = ++id_counter;
 		}
@@ -166,6 +183,7 @@ private:
 	RecordVal* args;	/**< \c AnalyzerArgs val gives tunable analyzer params. */
 	File* file;	/**< The file to which the analyzer is attached. */
 	bool got_stream_delivery;
+	bool skip;
 
 	static ID id_counter;
 };
diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc
index 1de1d230de..35968c9a02 100644
--- a/src/file_analysis/AnalyzerSet.cc
+++ b/src/file_analysis/AnalyzerSet.cc
@@ -130,7 +130,11 @@ bool AnalyzerSet::Remove(file_analysis::Tag tag, HashKey* key)
 	        file_mgr->GetComponentName(tag).c_str());
 
 	a->Done();
-	delete a;
+
+	// We don't delete the analyzer object right here because the remove
+	// operation may execute at a time when it can still be accessed.
+	// Instead we let the file know to delete the analyzer later.
+	file->DoneWithAnalyzer(a);
 
 	return true;
 	}
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index 3b674b3ef9..46624e23c0 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -55,6 +55,7 @@ int File::bof_buffer_size_idx = -1;
 int File::bof_buffer_idx = -1;
 int File::meta_mime_type_idx = -1;
 int File::meta_mime_types_idx = -1;
+int File::meta_inferred_idx = -1;
 
 void File::StaticInit()
 	{
@@ -76,6 +77,7 @@ void File::StaticInit()
 	bof_buffer_idx = Idx("bof_buffer", fa_file_type);
 	meta_mime_type_idx = Idx("mime_type", fa_metadata_type);
 	meta_mime_types_idx = Idx("mime_types", fa_metadata_type);
+	meta_inferred_idx = Idx("inferred", fa_metadata_type);
 	}
 
 File::File(const string& file_id, const string& source_name, Connection* conn,
@@ -107,6 +109,9 @@ File::~File()
 	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Destroying File object", id.c_str());
 	Unref(val);
 	delete file_reassembler;
+
+	for ( auto a : done_analyzers )
+		delete a;
 	}
 
 void File::UpdateLastActivityTime()
@@ -287,6 +292,27 @@ void File::SetReassemblyBuffer(uint64 max)
 	reassembly_max_buffer = max;
 	}
 
+bool File::SetMime(const string& mime_type)
+	{
+	if ( mime_type.empty() || bof_buffer.size != 0 || did_metadata_inference )
+		return false;
+
+	did_metadata_inference = true;
+	bof_buffer.full = true;
+
+	if ( ! FileEventAvailable(file_sniff) )
+		return false;
+
+	val_list* vl = new val_list();
+	vl->append(val->Ref());
+	RecordVal* meta = new RecordVal(fa_metadata_type);
+	vl->append(meta);
+	meta->Assign(meta_mime_type_idx, new StringVal(mime_type));
+	meta->Assign(meta_inferred_idx, new Val(0, TYPE_BOOL));
+	FileEvent(file_sniff, vl);
+	return true;
+	}
+
 void File::InferMetadata()
 	{
 	did_metadata_inference = true;
@@ -391,9 +417,15 @@ void File::DeliverStream(const u_char* data, uint64 len)
 			// Catch this analyzer up with the BOF buffer.
 			for ( int i = 0; i < num_bof_chunks_behind; ++i )
 				{
-				if ( ! a->DeliverStream(bof_buffer.chunks[i]->Bytes(),
-				                        bof_buffer.chunks[i]->Len()) )
-					analyzers.QueueRemove(a->Tag(), a->Args());
+				if ( ! a->Skipping() )
+					{
+					if ( ! a->DeliverStream(bof_buffer.chunks[i]->Bytes(),
+								bof_buffer.chunks[i]->Len()) )
+						{
+						a->SetSkip(true);
+						analyzers.QueueRemove(a->Tag(), a->Args());
+						}
+					}
 
 				bytes_delivered += bof_buffer.chunks[i]->Len();
 				}
@@ -403,8 +435,14 @@ void File::DeliverStream(const u_char* data, uint64 len)
 			// Analyzer should be fully caught up to stream_offset now.
 			}
 
-		if ( ! a->DeliverStream(data, len) )
-			analyzers.QueueRemove(a->Tag(), a->Args());
+		if ( ! a->Skipping() )
+			{
+			if ( ! a->DeliverStream(data, len) )
+				{
+				a->SetSkip(true);
+				analyzers.QueueRemove(a->Tag(), a->Args());
+				}
+			}
 		}
 
 	stream_offset += len;
@@ -468,9 +506,13 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
 	while ( (a = analyzers.NextEntry(c)) )
 		{
 		DBG_LOG(DBG_FILE_ANALYSIS, "chunk delivery to analyzer %s", file_mgr->GetComponentName(a->Tag()).c_str());
-		if ( ! a->DeliverChunk(data, len, offset) )
+		if ( ! a->Skipping() )
 			{
-			analyzers.QueueRemove(a->Tag(), a->Args());
+			if ( ! a->DeliverChunk(data, len, offset) )
+				{
+				a->SetSkip(true);
+				analyzers.QueueRemove(a->Tag(), a->Args());
+				}
 			}
 		}
 
@@ -478,6 +520,11 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
 		EndOfFile();
 	}
 
+void File::DoneWithAnalyzer(Analyzer* analyzer)
+	{
+	done_analyzers.push_back(analyzer);
+	}
+
 void File::DataIn(const u_char* data, uint64 len, uint64 offset)
 	{
 	analyzers.DrainModifications();
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index 6ad90e986b..1d4fb03789 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -119,6 +119,11 @@ public:
 	 */
 	bool RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args);
 
+	/**
+	 * Signal that this analyzer can be deleted once it's safe to do so.
+	 */
+	void DoneWithAnalyzer(Analyzer* analyzer);
+
 	/**
 	 * Pass in non-sequential data and deliver to attached analyzers.
 	 * @param data pointer to start of a chunk of file data.
@@ -166,6 +171,27 @@ public:
 	 */
 	void FileEvent(EventHandlerPtr h, val_list* vl);
 
+
+	/**
+	 * Sets the MIME type for a file to a specific value.
+	 *
+	 * Setting the MIME type has to be done before the MIME type is
+	 * inferred from the content, and before any data is passed to the
+	 * analyzer (the beginning of file buffer has to be empty). After
+	 * data has been sent or a MIME type has been set once, it cannot be
+	 * changed.
+	 *
+	 * This function should only be called when it does not make sense
+	 * to perform automated MIME type detections. This is e.g. the case
+	 * in protocols where the file type is fixed in the protocol description.
+	 * This is for example the case for TLS and X.509 certificates.
+	 *
+	 * @param mime_type mime type to set
+	 * @return true if the mime type was set. False if it could not be set because
+	 *         a mime type was already set or inferred.
+	 */
+	bool SetMime(const string& mime_type);
+
 protected:
 	friend class Manager;
 	friend class FileReassembler;
@@ -287,6 +313,7 @@ protected:
 	bool postpone_timeout;     /**< Whether postponing timeout is requested. */
 	bool done;                 /**< If this object is about to be deleted. */
 	AnalyzerSet analyzers;     /**< A set of attached file analyzers. */
+	std::list<Analyzer *> done_analyzers; /**< Analyzers we're done with, remembered here until they can be safely deleted. */
 
 	struct BOF_Buffer {
 		BOF_Buffer() : full(false), size(0) {}
@@ -313,6 +340,7 @@ protected:
 	static int bof_buffer_idx;
 	static int mime_type_idx;
 	static int mime_types_idx;
+	static int meta_inferred_idx;
 
 	static int meta_mime_type_idx;
 	static int meta_mime_types_idx;
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 217c901969..41528e2ceb 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -110,7 +110,7 @@ void Manager::SetHandle(const string& handle)
 
 string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
                        analyzer::Tag tag, Connection* conn, bool is_orig,
-                       const string& precomputed_id)
+                       const string& precomputed_id, const string& mime_type)
 	{
 	string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
 	File* file = GetFile(id, conn, tag, is_orig);
@@ -118,6 +118,15 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
 	if ( ! file )
 		return "";
 
+	// This only has any effect when
+	// * called for the first time for a file
+	// * being called before file->DataIn is called for the first time (before data is
+	//   added to the bof buffer).
+	// Afterwards SetMime just ignores what is passed to it. Thus this only has effect during
+	// the first Manager::DataIn call for each file.
+	if ( ! mime_type.empty() )
+		file->SetMime(mime_type);
+
 	file->DataIn(data, len, offset);
 
 	if ( file->IsComplete() )
@@ -130,7 +139,8 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
 	}
 
 string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
-                       Connection* conn, bool is_orig, const string& precomputed_id)
+		       Connection* conn, bool is_orig, const string& precomputed_id,
+		       const string& mime_type)
 	{
 	string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
 	// Sequential data input shouldn't be going over multiple conns, so don't
@@ -140,6 +150,9 @@ string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
 	if ( ! file )
 		return "";
 
+	if ( ! mime_type.empty() )
+		file->SetMime(mime_type);
+
 	file->DataIn(data, len);
 
 	if ( file->IsComplete() )
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index bcc8ac5dd2..dec308236a 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -93,6 +93,13 @@ public:
 	 *        or false if is being sent in the opposite direction.
 	 * @param precomputed_file_id may be set to a previous return value in order to
 	 *        bypass costly file handle lookups.
+	 * @param mime_type may be set to the mime type of the file, if already known due
+	 *        to the protocol. This is, e.g., the case in TLS connections where X.509
+	 *        certificates are passed as files; here the type of the file is set by
+	 *        the protocol. If this parameter is given, MIME type detection will be
+	 *        disabled.
+	 *        This parameter only has any effect for the first DataIn call of each
+	 *        file. It is ignored for all subsequent calls.
 	 * @return a unique file ID string which, in certain contexts, may be
 	 *         cached and passed back in to a subsequent function call in order
 	 *         to avoid costly file handle lookups (which have to go through
@@ -101,7 +108,8 @@ public:
 	 */
 	std::string DataIn(const u_char* data, uint64 len, uint64 offset,
 	                   analyzer::Tag tag, Connection* conn, bool is_orig,
-	                   const std::string& precomputed_file_id = "");
+	                   const std::string& precomputed_file_id = "",
+	                   const std::string& mime_type = "");
 
 	/**
 	 * Pass in sequential file data.
@@ -113,6 +121,12 @@ public:
 	 *        or false if is being sent in the opposite direction.
 	 * @param precomputed_file_id may be set to a previous return value in order to
 	 *        bypass costly file handle lookups.
+	 * @param mime_type may be set to the mime type of the file, if already known due
+	 *        to the protocol. This is, e.g., the case in TLS connections where X.509
+	 *        certificates are passed as files; here the type of the file is set by
+	 *        the protocol. If this parameter is give, mime type detection will be
+	 *        disabled.
+	 *        This parameter is only used for the first bit of data for each file.
 	 * @return a unique file ID string which, in certain contexts, may be
 	 *         cached and passed back in to a subsequent function call in order
 	 *         to avoid costly file handle lookups (which have to go through
@@ -121,7 +135,8 @@ public:
 	 */
 	std::string DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
 	                   Connection* conn, bool is_orig,
-	                   const std::string& precomputed_file_id = "");
+	                   const std::string& precomputed_file_id = "",
+	                   const std::string& mime_type = "");
 
 	/**
 	 * Pass in sequential file data from external source (e.g. input framework).
diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt
index aa663cfa6e..a4c5767e56 100644
--- a/src/file_analysis/analyzer/x509/CMakeLists.txt
+++ b/src/file_analysis/analyzer/x509/CMakeLists.txt
@@ -5,6 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
 bro_plugin_begin(Bro X509)
-bro_plugin_cc(X509.cc Plugin.cc)
-bro_plugin_bif(events.bif types.bif functions.bif)
+bro_plugin_cc(X509Common.cc X509.cc OCSP.cc Plugin.cc)
+bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif)
+bro_plugin_pac(x509-extension.pac x509-signed_certificate_timestamp.pac)
 bro_plugin_end()
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
new file mode 100644
index 0000000000..02c9274999
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -0,0 +1,407 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <string>
+
+#include "OCSP.h"
+#include "X509.h"
+#include "Event.h"
+
+#include "types.bif.h"
+#include "ocsp_events.bif.h"
+
+#include "file_analysis/Manager.h"
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/asn1.h>
+#include <openssl/opensslconf.h>
+
+#include "file_analysis/analyzer/x509/X509.h"
+
+// helper function of sk_X509_value to avoid namespace problem
+// sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y)
+// X509 => file_analysis::X509
+X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i)
+	{
+	return sk_X509_value(certs, i);
+	}
+
+using namespace file_analysis;
+
+IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL);
+
+#define OCSP_STRING_BUF_SIZE 2048
+
+static Val* get_ocsp_type(RecordVal* args, const char* name)
+	{
+	Val* rval = args->Lookup(name);
+
+	if ( ! rval )
+		reporter->Error("File extraction analyzer missing arg field: %s", name);
+
+	return rval;
+	}
+
+static void OCSP_RESPID_bio(OCSP_RESPID *resp_id, BIO* bio)
+	{
+	if (resp_id->type == V_OCSP_RESPID_NAME)
+		X509_NAME_print_ex(bio, resp_id->value.byName, 0, XN_FLAG_ONELINE);
+	else if (resp_id->type == V_OCSP_RESPID_KEY)
+		i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING);
+	}
+
+void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio)
+	{
+	char buf[OCSP_STRING_BUF_SIZE];
+	memset(buf, 0, sizeof(buf));
+
+	i2a_ASN1_OBJECT(bio, cert_id->hashAlgorithm->algorithm);
+	int len = BIO_read(bio, buf, sizeof(buf));
+	vl->append(new StringVal(len, buf));
+	BIO_reset(bio);
+
+	i2a_ASN1_STRING(bio, cert_id->issuerNameHash, V_ASN1_OCTET_STRING);
+	len = BIO_read(bio, buf, sizeof(buf));
+	vl->append(new StringVal(len, buf));
+	BIO_reset(bio);
+
+	i2a_ASN1_STRING(bio, cert_id->issuerKeyHash, V_ASN1_OCTET_STRING);
+	len = BIO_read(bio, buf, sizeof(buf));
+	vl->append(new StringVal(len, buf));
+	BIO_reset(bio);
+
+	i2a_ASN1_INTEGER(bio, cert_id->serialNumber);
+	len = BIO_read(bio, buf, sizeof(buf));
+	vl->append(new StringVal(len, buf));
+	BIO_reset(bio);
+	}
+
+file_analysis::Analyzer* OCSP::InstantiateRequest(RecordVal* args, File* file)
+	{
+	return new OCSP(args, file, true);
+	}
+
+file_analysis::Analyzer* OCSP::InstantiateReply(RecordVal* args, File* file)
+	{
+	return new OCSP(args, file, false);
+	}
+
+file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, bool arg_request)
+	: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request)
+	{
+	}
+
+bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64 len)
+	{
+	ocsp_data.append(reinterpret_cast<const char*>(data), len);
+	return true;
+	}
+
+bool file_analysis::OCSP::Undelivered(uint64 offset, uint64 len)
+	{
+	return false;
+	}
+
+// we parse the entire OCSP response in EOF, because we just pass it on
+// to OpenSSL.
+bool file_analysis::OCSP::EndOfFile()
+	{
+	const unsigned char* ocsp_char = reinterpret_cast<const unsigned char*>(ocsp_data.data());
+
+	if ( request )
+		{
+		OCSP_REQUEST *req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size());
+
+		if (!req)
+			{
+			reporter->Weird(fmt("OPENSSL Could not parse OCSP request (fuid %s)", GetFile()->GetID().c_str()));
+			return false;
+			}
+
+		ParseRequest(req, GetFile()->GetID().c_str());
+		OCSP_REQUEST_free(req);
+		}
+	else
+		{
+		OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size());
+		if (!resp)
+			{
+			reporter->Weird(fmt("OPENSSL Could not parse OCSP response (fuid %s)", GetFile()->GetID().c_str()));
+			return false;
+			}
+
+		OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership
+		ParseResponse(resp_val, GetFile()->GetID().c_str());
+		Unref(resp_val);
+		}
+
+	return true;
+}
+
+void file_analysis::OCSP::ParseRequest(OCSP_REQUEST *req, const char* fid)
+	{
+	OCSP_REQINFO *inf     = req->tbsRequest;
+
+	char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions
+	memset(buf, 0, sizeof(buf));
+
+	// build up our response as we go along...
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(new Val((uint64)ASN1_INTEGER_get(inf->version), TYPE_COUNT));
+	BIO *bio = BIO_new(BIO_s_mem());
+
+	if (inf->requestorName != NULL)
+		{
+		GENERAL_NAME_print(bio, inf->requestorName);
+		int len = BIO_read(bio, buf, sizeof(buf));
+		vl->append(new StringVal(len, buf));
+		BIO_reset(bio);
+		}
+	else
+		vl->append(new StringVal(0, ""));
+
+	mgr.QueueEvent(ocsp_request, vl);
+
+	int req_count = OCSP_request_onereq_count(req);
+	for ( int i=0; i<req_count; i++ )
+		{
+		val_list* rvl = new val_list();
+		rvl->append(GetFile()->GetVal()->Ref());
+
+		OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i);
+		OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req);
+
+		ocsp_add_cert_id(cert_id, rvl, bio);
+		mgr.QueueEvent(ocsp_request_certificate, rvl);
+		}
+
+	BIO_free(bio);
+}
+
+void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
+	{
+	OCSP_RESPONSE   *resp       = resp_val->GetResp();
+	OCSP_RESPBYTES  *resp_bytes = resp->responseBytes;
+	OCSP_BASICRESP  *basic_resp = nullptr;
+	OCSP_RESPDATA   *resp_data  = nullptr;
+	OCSP_RESPID     *resp_id    = nullptr;
+
+	int resp_count, num_ext = 0;
+	VectorVal *certs_vector = nullptr;
+	int len = 0;
+
+ 	char buf[OCSP_STRING_BUF_SIZE];
+	memset(buf, 0, sizeof(buf));
+
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+
+	const char *status_str = OCSP_response_status_str(OCSP_response_status(resp));
+	StringVal* status_val = new StringVal(strlen(status_str), status_str);
+	vl->append(status_val->Ref());
+	mgr.QueueEvent(ocsp_response_status, vl);
+	vl = nullptr;
+
+	if (!resp_bytes)
+		{
+		Unref(status_val);
+		return;
+		}
+
+	BIO *bio = BIO_new(BIO_s_mem());
+	//i2a_ASN1_OBJECT(bio, resp_bytes->responseType);
+	//int len = BIO_read(bio, buf, sizeof(buf));
+	//BIO_reset(bio);
+
+	// get the basic response
+	basic_resp = OCSP_response_get1_basic(resp);
+	if ( !basic_resp )
+		goto clean_up;
+
+	resp_data = basic_resp->tbsResponseData;
+	if ( !resp_data )
+		goto clean_up;
+
+	vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(resp_val->Ref());
+	vl->append(status_val);
+	vl->append(new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT));
+
+	// responderID
+	resp_id = resp_data->responderId;
+	OCSP_RESPID_bio(resp_id, bio);
+	len = BIO_read(bio, buf, sizeof(buf));
+	vl->append(new StringVal(len, buf));
+	BIO_reset(bio);
+
+	// producedAt
+	vl->append(new Val(GetTimeFromAsn1(resp_data->producedAt, fid, reporter), TYPE_TIME));
+
+	// responses
+	resp_count = sk_OCSP_SINGLERESP_num(resp_data->responses);
+	for ( int i=0; i<resp_count; i++ )
+		{
+		OCSP_SINGLERESP *single_resp = sk_OCSP_SINGLERESP_value(resp_data->responses, i);
+		if ( !single_resp )
+			continue;
+
+		val_list* rvl = new val_list();
+		rvl->append(GetFile()->GetVal()->Ref());
+
+		// cert id
+		OCSP_CERTID *cert_id = single_resp->certId;
+		ocsp_add_cert_id(cert_id, rvl, bio);
+		BIO_reset(bio);
+
+		// certStatus
+		OCSP_CERTSTATUS *cert_status = single_resp->certStatus;
+		const char* cert_status_str = OCSP_cert_status_str(cert_status->type);
+		rvl->append(new StringVal(strlen(cert_status_str), cert_status_str));
+
+		// revocation time and reason if revoked
+		if ( cert_status->type == V_OCSP_CERTSTATUS_REVOKED )
+			{
+			OCSP_REVOKEDINFO *revoked_info = cert_status->value.revoked;
+			rvl->append(new Val(GetTimeFromAsn1(revoked_info->revocationTime, fid, reporter), TYPE_TIME));
+
+			if ( revoked_info->revocationReason )
+				{
+				const char* revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason));
+				rvl->append(new StringVal(strlen(revoke_reason), revoke_reason));
+				}
+			else
+				rvl->append(new StringVal(0, ""));
+			}
+		else
+			{
+			rvl->append(new Val(0, TYPE_TIME));
+			rvl->append(new StringVal(0, ""));
+			}
+
+		rvl->append(new Val(GetTimeFromAsn1(single_resp->thisUpdate, fid, reporter), TYPE_TIME));
+		if ( single_resp->nextUpdate )
+			rvl->append(new Val(GetTimeFromAsn1(single_resp->nextUpdate, fid, reporter), TYPE_TIME));
+		else
+			rvl->append(new Val(0, TYPE_TIME));
+
+		mgr.QueueEvent(ocsp_response_certificate, rvl);
+
+		num_ext = OCSP_SINGLERESP_get_ext_count(single_resp);
+		for ( int k = 0; k < num_ext; ++k )
+			{
+			X509_EXTENSION* ex = OCSP_SINGLERESP_get_ext(single_resp, k);
+			if ( ! ex )
+				continue;
+
+			ParseExtension(ex, ocsp_extension, false);
+			}
+		}
+
+	i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
+	len = BIO_read(bio, buf, sizeof(buf));
+	vl->append(new StringVal(len, buf));
+	BIO_reset(bio);
+
+	//i2a_ASN1_OBJECT(bio, basic_resp->signature);
+	//len = BIO_read(bio, buf, sizeof(buf));
+	//ocsp_resp_record->Assign(7, new StringVal(len, buf));
+	//BIO_reset(bio);
+
+	certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
+	vl->append(certs_vector);
+	if ( basic_resp->certs )
+		{
+		int num_certs = sk_X509_num(basic_resp->certs);
+		for ( int i=0; i<num_certs; i++ )
+			{
+			::X509 *this_cert = X509_dup(helper_sk_X509_value(basic_resp->certs, i));
+			//::X509 *this_cert = X509_dup(sk_X509_value(basic_resp->certs, i));
+			if (this_cert)
+				certs_vector->Assign(i, new file_analysis::X509Val(this_cert));
+			else
+				reporter->Weird("OpenSSL returned null certificate");
+			}
+	  }
+	mgr.QueueEvent(ocsp_response_bytes, vl);
+
+	// ok, now that we are done with the actual certificate - let's parse extensions :)
+	num_ext = OCSP_BASICRESP_get_ext_count(basic_resp);
+	for ( int k = 0; k < num_ext; ++k )
+		{
+		X509_EXTENSION* ex = OCSP_BASICRESP_get_ext(basic_resp, k);
+		if ( ! ex )
+			continue;
+
+		ParseExtension(ex, ocsp_extension, true);
+		}
+
+clean_up:
+	if (basic_resp)
+		OCSP_BASICRESP_free(basic_resp);
+	BIO_free(bio);
+}
+
+void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
+	{
+	// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_cert_scts.
+	// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
+	// look it up by performing a string comparison on the oid.
+#ifdef NID_ct_cert_scts
+	if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts )
+#else
+	if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.5") == 0 )
+#endif
+		ParseSignedCertificateTimestamps(ex);
+	}
+
+OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type)
+	{
+	ocsp_resp = arg_ocsp_resp;
+	}
+
+OCSP_RESPVal::OCSP_RESPVal() : OpaqueVal(ocsp_resp_opaque_type)
+	{
+	ocsp_resp = nullptr;
+	}
+
+OCSP_RESPVal::~OCSP_RESPVal()
+	{
+	if (ocsp_resp)
+		OCSP_RESPONSE_free(ocsp_resp);
+	}
+
+OCSP_RESPONSE* OCSP_RESPVal::GetResp() const
+	{
+	return ocsp_resp;
+	}
+
+bool OCSP_RESPVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_OCSP_RESP_VAL, OpaqueVal);
+	unsigned char *buf = nullptr;
+	int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf);
+	if ( length < 0 )
+		return false;
+	bool res = SERIALIZE_STR(reinterpret_cast<const char*>(buf), length);
+	OPENSSL_free(buf);
+	return res;
+	}
+
+bool OCSP_RESPVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(OpaqueVal)
+
+	int length;
+	unsigned char *ocsp_resp_buf, *opensslbuf;
+
+	if ( ! UNSERIALIZE_STR(reinterpret_cast<char **>(&ocsp_resp_buf), &length) )
+		return false;
+	opensslbuf = ocsp_resp_buf; // OpenSSL likes to shift pointers around. really.
+	ocsp_resp = d2i_OCSP_RESPONSE(nullptr, const_cast<const unsigned char**>(&opensslbuf), length);
+	delete [] ocsp_resp_buf;
+	if ( ! ocsp_resp )
+		return false;
+	return true;
+	}
diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
new file mode 100644
index 0000000000..d1d15dd14f
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@@ -0,0 +1,54 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef FILE_ANALYSIS_OCSP_H
+#define FILE_ANALYSIS_OCSP_H
+
+#include <string>
+
+#include "Val.h"
+#include "../File.h"
+#include "Analyzer.h"
+#include "X509Common.h"
+
+#include <openssl/ocsp.h>
+
+namespace file_analysis {
+
+class OCSP_RESPVal;
+
+class OCSP : public file_analysis::X509Common {
+public:
+	bool DeliverStream(const u_char* data, uint64 len) override;
+	bool Undelivered(uint64 offset, uint64 len) override;
+	bool EndOfFile() override;
+
+	static file_analysis::Analyzer* InstantiateRequest(RecordVal* args, File* file);
+	static file_analysis::Analyzer* InstantiateReply(RecordVal* args, File* file);
+
+protected:
+	OCSP(RecordVal* args, File* file, bool request);
+
+private:
+	void ParseResponse(OCSP_RESPVal *, const char* fid = 0);
+	void ParseRequest(OCSP_REQUEST *, const char* fid = 0);
+	void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override;
+
+	std::string ocsp_data;
+	bool request = false; // true if ocsp request, false if reply
+};
+
+class OCSP_RESPVal: public OpaqueVal {
+public:
+	explicit OCSP_RESPVal(OCSP_RESPONSE *);
+	~OCSP_RESPVal();
+	OCSP_RESPONSE *GetResp() const;
+protected:
+	OCSP_RESPVal();
+private:
+	OCSP_RESPONSE *ocsp_resp;
+	DECLARE_SERIAL(OCSP_RESPVal);
+};
+
+}
+
+#endif
diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc
index d9d1b71ab4..31dbe346a8 100644
--- a/src/file_analysis/analyzer/x509/Plugin.cc
+++ b/src/file_analysis/analyzer/x509/Plugin.cc
@@ -4,6 +4,7 @@
 #include "plugin/Plugin.h"
 
 #include "X509.h"
+#include "OCSP.h"
 
 namespace plugin {
 namespace Bro_X509 {
@@ -13,10 +14,12 @@ public:
 	plugin::Configuration Configure()
 		{
 		AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate));
+		AddComponent(new ::file_analysis::Component("OCSP_REQUEST", ::file_analysis::OCSP::InstantiateRequest));
+		AddComponent(new ::file_analysis::Component("OCSP_REPLY", ::file_analysis::OCSP::InstantiateReply));
 
 		plugin::Configuration config;
 		config.name = "Bro::X509";
-		config.description = "X509 analyzer";
+		config.description = "X509 and OCSP analyzer";
 		return config;
 		}
 } plugin;
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index da3c6635a8..2274f8fe3d 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -21,7 +21,7 @@ using namespace file_analysis;
 IMPLEMENT_SERIAL(X509Val, SER_X509_VAL);
 
 file_analysis::X509::X509(RecordVal* args, file_analysis::File* file)
-	: file_analysis::Analyzer(file_mgr->GetComponentTag("X509"), args, file)
+	: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("X509"), args, file)
 	{
 	cert_data.clear();
 	}
@@ -72,7 +72,7 @@ bool file_analysis::X509::EndOfFile()
 		if ( ! ex )
 			continue;
 
-		ParseExtension(ex);
+		ParseExtension(ex, x509_extension, false);
 		}
 
 	// X509_free(ssl_cert); We do _not_ free the certificate here. It is refcounted
@@ -133,8 +133,8 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 	pX509Cert->Assign(3, new StringVal(len, buf));
 	BIO_free(bio);
 
-	pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid), TYPE_TIME));
-	pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid), TYPE_TIME));
+	pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid, reporter), TYPE_TIME));
+	pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid, reporter), TYPE_TIME));
 
 	// we only read 255 bytes because byte 256 is always 0.
 	// if the string is longer than 255, that will be our null-termination,
@@ -205,101 +205,6 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 	return pX509Cert;
 	}
 
-StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio)
-	{
-	BIO_flush(bio);
-	ERR_clear_error();
-	int length = BIO_pending(bio);
-
-	if ( ERR_peek_error() != 0 )
-		{
-		char tmp[120];
-		ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp));
-		reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp));
-		BIO_free_all(bio);
-		return 0;
-		}
-
-	if ( length == 0 )
-		{
-		BIO_free_all(bio);
-		return new StringVal("");
-		}
-
-	char* buffer = (char*) malloc(length);
-
-	if ( ! buffer )
-		{
-		// Just emit an error here and try to continue instead of aborting
-		// because it's unclear the length value is very reliable.
-		reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length);
-		BIO_free_all(bio);
-		return 0;
-		}
-
-	BIO_read(bio, (void*) buffer, length);
-	StringVal* ext_val = new StringVal(length, buffer);
-
-	free(buffer);
-	BIO_free_all(bio);
-
-	return ext_val;
-	}
-
-void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
-	{
-	char name[256];
-	char oid[256];
-
-	ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
-	const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn));
-
-	OBJ_obj2txt(name, 255, ext_asn, 0);
-	OBJ_obj2txt(oid, 255, ext_asn, 1);
-
-	int critical = 0;
-	if ( X509_EXTENSION_get_critical(ex) != 0 )
-		critical = 1;
-
-	BIO *bio = BIO_new(BIO_s_mem());
-	if( ! X509V3_EXT_print(bio, ex, 0, 0))
-		M_ASN1_OCTET_STRING_print(bio,ex->value);
-
-	StringVal* ext_val = GetExtensionFromBIO(bio);
-
-	if ( ! ext_val )
-		ext_val = new StringVal(0, "");
-
-	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
-	pX509Ext->Assign(0, new StringVal(name));
-
-	if ( short_name and strlen(short_name) > 0 )
-		pX509Ext->Assign(1, new StringVal(short_name));
-
-	pX509Ext->Assign(2, new StringVal(oid));
-	pX509Ext->Assign(3, new Val(critical, TYPE_BOOL));
-	pX509Ext->Assign(4, ext_val);
-
-	// send off generic extension event
-	//
-	// and then look if we have a specialized event for the extension we just
-	// parsed. And if we have it, we send the specialized event on top of the
-	// generic event that we just had. I know, that is... kind of not nice,
-	// but I am not sure if there is a better way to do it...
-	val_list* vl = new val_list();
-	vl->append(GetFile()->GetVal()->Ref());
-	vl->append(pX509Ext);
-
-	mgr.QueueEvent(x509_extension, vl);
-
-	// look if we have a specialized handler for this event...
-	if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints )
-		ParseBasicConstraints(ex);
-
-	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
-		ParseSAN(ex);
-	}
-
 void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints);
@@ -326,6 +231,26 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 		reporter->Weird(fmt("Certificate with invalid BasicConstraint. fuid %s", GetFile()->GetID().c_str()));
 	}
 
+void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
+	{
+	// look if we have a specialized handler for this event...
+	if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints )
+		ParseBasicConstraints(ex);
+
+	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
+		ParseSAN(ex);
+
+	// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts.
+	// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
+	// look it up by performing a string comparison on the oid.
+#ifdef NID_ct_precert_scts
+	else if ( OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
+#else
+	else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 )
+#endif
+		ParseSignedCertificateTimestamps(ex);
+	}
+
 void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_subject_alt_name);
@@ -517,164 +442,6 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key)
 	reporter->InternalError("cannot be reached");
 	}
 
-double file_analysis::X509::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid)
-	{
-	const char *fid = arg_fid ? arg_fid : "";
-	time_t lResult = 0;
-
-	char lBuffer[26];
-	char* pBuffer = lBuffer;
-
-	const char *pString = (const char *) atime->data;
-	unsigned int remaining = atime->length;
-
-	if ( atime->type == V_ASN1_UTCTIME )
-		{
-		if ( remaining < 11 || remaining > 17 )
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid));
-			return 0;
-			}
-
-		if ( pString[remaining-1] != 'Z' )
-			{
-			// not valid according to RFC 2459 4.1.2.5.1
-			reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid));
-			return 0;
-			}
-
-		// year is first two digits in YY format. Buffer expects YYYY format.
-		if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1
-			{
-			*(pBuffer++) = '2';
-			*(pBuffer++) = '0';
-			}
-		else
-			{
-			*(pBuffer++) = '1';
-			*(pBuffer++) = '9';
-			}
-
-		memcpy(pBuffer, pString, 10);
-		pBuffer += 10;
-		pString += 10;
-		remaining -= 10;
-		}
-	else if ( atime->type == V_ASN1_GENERALIZEDTIME )
-		{
-		// generalized time. We apparently ignore the YYYYMMDDHH case
-		// for now and assume we always have minutes and seconds.
-		// This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2
-
-		if ( remaining < 12 || remaining > 23 )
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid));
-			return 0;
-			}
-
-		memcpy(pBuffer, pString, 12);
-		pBuffer += 12;
-		pString += 12;
-		remaining -= 12;
-		}
-	else
-		{
-		reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid));
-		return 0;
-		}
-
-	if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') )
-		{
-		*(pBuffer++) = '0';
-		*(pBuffer++) = '0';
-		}
-
-	else if ( remaining >= 2 )
-		{
-		*(pBuffer++) = *(pString++);
-		*(pBuffer++) = *(pString++);
-
-		remaining -= 2;
-
-		// Skip any fractional seconds...
-		if ( (remaining > 0) && (*pString == '.') )
-			{
-			pString++;
-			remaining--;
-
-			while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') )
-				{
-				pString++;
-				remaining--;
-				}
-			}
-		}
-
-	else
-		{
-		reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid));
-		return 0;
-		}
-
-	*(pBuffer++) = 'Z';
-	*(pBuffer++) = '\0';
-
-	time_t lSecondsFromUTC;
-
-	if ( remaining == 0 || *pString == 'Z' )
-		lSecondsFromUTC = 0;
-	else
-		{
-		if ( remaining < 5 )
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid));
-			return 0;
-			}
-
-		if ((*pString != '+') && (*pString != '-'))
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid));
-			return 0;
-			}
-
-		lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
-		lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0');
-
-		if (*pString == '-')
-			lSecondsFromUTC = -lSecondsFromUTC;
-		}
-
-	tm lTime;
-	lTime.tm_sec  = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0');
-	lTime.tm_min  = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
-	lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
-	lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
-	lTime.tm_mon  = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1;
-	lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0');
-
-	if ( lTime.tm_year > 1900)
-		lTime.tm_year -= 1900;
-
-	lTime.tm_wday = 0;
-	lTime.tm_yday = 0;
-	lTime.tm_isdst = 0;  // No DST adjustment requested
-
-	lResult = mktime(&lTime);
-
-	if ( lResult )
-		{
-		if ( lTime.tm_isdst  != 0 )
-			lResult -= 3600;  // mktime may adjust for DST  (OS dependent)
-
-		lResult += lSecondsFromUTC;
-		}
-
-	else
-		lResult = 0;
-
-	return lResult;
-}
-
 X509Val::X509Val(::X509* arg_certificate) : OpaqueVal(x509_opaque_type)
 	{
 	certificate = arg_certificate;
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index c671c68a99..325e8becac 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -6,21 +6,18 @@
 #include <string>
 
 #include "Val.h"
-#include "../File.h"
-#include "Analyzer.h"
+#include "X509Common.h"
 
-#include <openssl/x509.h>
-#include <openssl/asn1.h>
 
 namespace file_analysis {
 
 class X509Val;
 
-class X509 : public file_analysis::Analyzer {
+class X509 : public file_analysis::X509Common {
 public:
-	virtual bool DeliverStream(const u_char* data, uint64 len);
-	virtual bool Undelivered(uint64 offset, uint64 len);
-	virtual bool EndOfFile();
+	bool DeliverStream(const u_char* data, uint64 len) override;
+	bool Undelivered(uint64 offset, uint64 len) override;
+	bool EndOfFile() override;
 
 	/**
 	 * Converts an X509 certificate into a \c X509::Certificate record
@@ -40,29 +37,17 @@ public:
 	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
 		{ return new X509(args, file); }
 
-	/**
-	 * Retrieve an X509 extension value from an OpenSSL BIO to which it was
-	 * written.
-	 *
-	 * @param bio the OpenSSL BIO to read. It will be freed by the function,
-	 * including when an error occurs.
-	 *
-	 * @return The X509 extension value.
-	 */
-	static StringVal* GetExtensionFromBIO(BIO* bio);
-
 protected:
 	X509(RecordVal* args, File* file);
 
 private:
-	void ParseExtension(X509_EXTENSION* ex);
 	void ParseBasicConstraints(X509_EXTENSION* ex);
 	void ParseSAN(X509_EXTENSION* ex);
+	void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override;
 
 	std::string cert_data;
 
 	// Helpers for ParseCertificate.
-	static double GetTimeFromAsn1(const ASN1_TIME * atime, const char* fid);
 	static StringVal* KeyCurve(EVP_PKEY *key);
 	static unsigned int KeyLength(EVP_PKEY *key);
 };
diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc
new file mode 100644
index 0000000000..dba593a3eb
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/X509Common.cc
@@ -0,0 +1,316 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "X509Common.h"
+#include "x509-extension_pac.h"
+
+#include "events.bif.h"
+#include "ocsp_events.bif.h"
+#include "types.bif.h"
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/asn1.h>
+#include <openssl/opensslconf.h>
+#include <openssl/err.h>
+
+using namespace file_analysis;
+
+X509Common::X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file)
+	: file_analysis::Analyzer(arg_tag, arg_args, arg_file)
+	{
+	}
+
+double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter)
+	{
+	const char *fid = arg_fid ? arg_fid : "";
+	time_t lResult = 0;
+
+	char lBuffer[26];
+	char* pBuffer = lBuffer;
+
+	const char *pString = (const char *) atime->data;
+	unsigned int remaining = atime->length;
+
+	if ( atime->type == V_ASN1_UTCTIME )
+		{
+		if ( remaining < 11 || remaining > 17 )
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid));
+			return 0;
+			}
+
+		if ( pString[remaining-1] != 'Z' )
+			{
+			// not valid according to RFC 2459 4.1.2.5.1
+			reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid));
+			return 0;
+			}
+
+		// year is first two digits in YY format. Buffer expects YYYY format.
+		if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1
+			{
+			*(pBuffer++) = '2';
+			*(pBuffer++) = '0';
+			}
+		else
+			{
+			*(pBuffer++) = '1';
+			*(pBuffer++) = '9';
+			}
+
+		memcpy(pBuffer, pString, 10);
+		pBuffer += 10;
+		pString += 10;
+		remaining -= 10;
+		}
+	else if ( atime->type == V_ASN1_GENERALIZEDTIME )
+		{
+		// generalized time. We apparently ignore the YYYYMMDDHH case
+		// for now and assume we always have minutes and seconds.
+		// This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2
+
+		if ( remaining < 12 || remaining > 23 )
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid));
+			return 0;
+			}
+
+		memcpy(pBuffer, pString, 12);
+		pBuffer += 12;
+		pString += 12;
+		remaining -= 12;
+		}
+	else
+		{
+		reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid));
+		return 0;
+		}
+
+	if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') )
+		{
+		*(pBuffer++) = '0';
+		*(pBuffer++) = '0';
+		}
+
+	else if ( remaining >= 2 )
+		{
+		*(pBuffer++) = *(pString++);
+		*(pBuffer++) = *(pString++);
+
+		remaining -= 2;
+
+		// Skip any fractional seconds...
+		if ( (remaining > 0) && (*pString == '.') )
+			{
+			pString++;
+			remaining--;
+
+			while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') )
+				{
+				pString++;
+				remaining--;
+				}
+			}
+		}
+
+	else
+		{
+		reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid));
+		return 0;
+		}
+
+	*(pBuffer++) = 'Z';
+	*(pBuffer++) = '\0';
+
+	time_t lSecondsFromUTC;
+
+	if ( remaining == 0 || *pString == 'Z' )
+		lSecondsFromUTC = 0;
+	else
+		{
+		if ( remaining < 5 )
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid));
+			return 0;
+			}
+
+		if ((*pString != '+') && (*pString != '-'))
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid));
+			return 0;
+			}
+
+		lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
+		lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0');
+
+		if (*pString == '-')
+			lSecondsFromUTC = -lSecondsFromUTC;
+		}
+
+	tm lTime;
+	lTime.tm_sec  = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0');
+	lTime.tm_min  = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
+	lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
+	lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
+	lTime.tm_mon  = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1;
+	lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0');
+
+	if ( lTime.tm_year > 1900)
+		lTime.tm_year -= 1900;
+
+	lTime.tm_wday = 0;
+	lTime.tm_yday = 0;
+	lTime.tm_isdst = 0;  // No DST adjustment requested
+
+	lResult = mktime(&lTime);
+
+	if ( lResult )
+		{
+		if ( lTime.tm_isdst  != 0 )
+			lResult -= 3600;  // mktime may adjust for DST  (OS dependent)
+
+		lResult += lSecondsFromUTC;
+		}
+
+	else
+		lResult = 0;
+
+	return lResult;
+}
+
+void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext)
+	{
+	// Ok, signed certificate timestamps are a bit of an odd case out; we don't
+	// want to use the (basically nonexistant) OpenSSL functionality to parse them.
+	// Instead we have our own, self-written binpac parser to parse just them,
+	// which we will initialize here and tear down immediately again.
+
+	ASN1_OCTET_STRING* ext_val = X509_EXTENSION_get_data(ext);
+	// the octet string of the extension contains the octet string which in turn
+	// contains the SCT. Obviously.
+
+	unsigned char* ext_val_copy = (unsigned char*) OPENSSL_malloc(ext_val->length);
+	unsigned char* ext_val_second_pointer = ext_val_copy;
+	memcpy(ext_val_copy, ext_val->data, ext_val->length);
+
+	ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length);
+	if ( !inner )
+		{
+		reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string");
+		return;
+		}
+
+	binpac::X509Extension::MockConnection* conn = new binpac::X509Extension::MockConnection(this);
+	binpac::X509Extension::SignedCertTimestampExt* interp = new binpac::X509Extension::SignedCertTimestampExt(conn);
+
+	try
+		{
+		interp->NewData(inner->data, inner->data + inner->length);
+		}
+	catch( const binpac::Exception& e )
+		{
+		// throw a warning or sth
+		reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT");
+		}
+
+	M_ASN1_OCTET_STRING_free(inner);
+	OPENSSL_free(ext_val_second_pointer);
+
+	interp->FlowEOF();
+
+	delete interp;
+	delete conn;
+	}
+
+void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerPtr h, bool global)
+	{
+	char name[256];
+	char oid[256];
+
+	ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
+	const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn));
+
+	OBJ_obj2txt(name, 255, ext_asn, 0);
+	OBJ_obj2txt(oid, 255, ext_asn, 1);
+
+	int critical = 0;
+	if ( X509_EXTENSION_get_critical(ex) != 0 )
+		critical = 1;
+
+	BIO *bio = BIO_new(BIO_s_mem());
+	if( ! X509V3_EXT_print(bio, ex, 0, 0))
+		M_ASN1_OCTET_STRING_print(bio,ex->value);
+
+	StringVal* ext_val = GetExtensionFromBIO(bio);
+
+	if ( ! ext_val )
+		ext_val = new StringVal(0, "");
+
+	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
+	pX509Ext->Assign(0, new StringVal(name));
+
+	if ( short_name and strlen(short_name) > 0 )
+		pX509Ext->Assign(1, new StringVal(short_name));
+
+	pX509Ext->Assign(2, new StringVal(oid));
+	pX509Ext->Assign(3, new Val(critical, TYPE_BOOL));
+	pX509Ext->Assign(4, ext_val);
+
+	// send off generic extension event
+	//
+	// and then look if we have a specialized event for the extension we just
+	// parsed. And if we have it, we send the specialized event on top of the
+	// generic event that we just had. I know, that is... kind of not nice,
+	// but I am not sure if there is a better way to do it...
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(pX509Ext);
+	if ( h == ocsp_extension )
+		vl->append(new Val(global ? 1 : 0, TYPE_BOOL));
+
+	mgr.QueueEvent(h, vl);
+
+	// let individual analyzers parse more.
+	ParseExtensionsSpecific(ex, global, ext_asn, oid);
+	}
+
+StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio)
+	{
+	BIO_flush(bio);
+	ERR_clear_error();
+	int length = BIO_pending(bio);
+
+	if ( ERR_peek_error() != 0 )
+		{
+		char tmp[120];
+		ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp));
+		reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp));
+		BIO_free_all(bio);
+		return 0;
+		}
+
+	if ( length == 0 )
+		{
+		BIO_free_all(bio);
+		return new StringVal("");
+		}
+
+	char* buffer = (char*) malloc(length);
+
+	if ( ! buffer )
+		{
+		// Just emit an error here and try to continue instead of aborting
+		// because it's unclear the length value is very reliable.
+		reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length);
+		BIO_free_all(bio);
+		return 0;
+		}
+
+	BIO_read(bio, (void*) buffer, length);
+	StringVal* ext_val = new StringVal(length, buffer);
+
+	free(buffer);
+	BIO_free_all(bio);
+
+	return ext_val;
+	}
diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h
new file mode 100644
index 0000000000..1e1a9b94ee
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/X509Common.h
@@ -0,0 +1,44 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Common base class for the X509 and OCSP analyzer, which share a fair amount of
+// code
+
+#ifndef FILE_ANALYSIS_X509_COMMON
+#define FILE_ANALYSIS_X509_COMMON
+
+#include "../File.h"
+#include "Analyzer.h"
+
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+
+namespace file_analysis {
+
+class X509Common : public file_analysis::Analyzer {
+public:
+	virtual ~X509Common() {};
+
+	/**
+	 * Retrieve an X509 extension value from an OpenSSL BIO to which it was
+	 * written.
+	 *
+	 * @param bio the OpenSSL BIO to read. It will be freed by the function,
+	 * including when an error occurs.
+	 *
+	 * @return The X509 extension value.
+	 */
+	static StringVal* GetExtensionFromBIO(BIO* bio);
+
+	static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter);
+
+protected:
+	X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file);
+
+	void ParseExtension(X509_EXTENSION* ex, EventHandlerPtr h, bool global);
+	void ParseSignedCertificateTimestamps(X509_EXTENSION* ext);
+	virtual void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) = 0;
+};
+
+}
+
+#endif /* FILE_ANALYSIS_X509_COMMON */
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index fcdeaa31d1..68afe5340a 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -1,4 +1,4 @@
-## Generated for encountered X509 certificates, e.g., in the clear SSL/TLS 
+## Generated for encountered X509 certificates, e.g., in the clear SSL/TLS
 ## connection handshake.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
@@ -13,7 +13,7 @@
 ##
 ## .. bro:see:: x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse x509_verify
-##              x509_get_certificate_string
+##              x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
 event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate%);
 
 ## Generated for X509 extensions seen in a certificate.
@@ -27,7 +27,7 @@ event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certif
 ##
 ## .. bro:see:: x509_certificate x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse x509_verify
-##              x509_get_certificate_string
+##              x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
 event x509_extension%(f: fa_file, ext: X509::Extension%);
 
 ## Generated for the X509 basic constraints extension seen in a certificate.
@@ -39,7 +39,7 @@ event x509_extension%(f: fa_file, ext: X509::Extension%);
 ##
 ## .. bro:see:: x509_certificate x509_extension
 ##              x509_ext_subject_alternative_name x509_parse x509_verify
-##              x509_get_certificate_string
+##              x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
 event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
 
 ## Generated for the X509 subject alternative name extension seen in a certificate.
@@ -52,6 +52,34 @@ event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
 ## ext: The parsed subject alternative name extension.
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
-##              x509_parse x509_verify
+##              x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp
 ##              x509_get_certificate_string
 event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%);
+
+## Generated for the signed_certificate_timestamp X509 extension as defined in
+## :rfc:`6962`. The extension is used to transmit signed proofs that are
+## used for Certificate Transparency. Raised when the extension is encountered
+## in an X.509 certificate or in an OCSP reply.
+##
+## f: The file.
+##
+## version: the version of the protocol to which the SCT conforms. Always
+##          should be 0 (representing version 1)
+##
+## logid: 32 bit key id
+##
+## timestamp: the NTP Time when the entry was logged measured since
+##            the epoch, ignoring leap seconds, in milliseconds.
+##
+## signature_and_hashalgorithm: signature and hash algorithm used for the
+##                              digitally_signed struct
+##
+## signature: signature part of the digitally_signed struct
+##
+## .. bro:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints
+##              x509_parse x509_verify x509_ext_subject_alternative_name
+##              x509_get_certificate_string ssl_extension_signed_certificate_timestamp
+##              sct_verify ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate
+##              x509_ocsp_ext_signed_certificate_timestamp
+event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string%);
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index c977c746d4..1c1ec51818 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -1,6 +1,7 @@
 %%{
 #include "file_analysis/analyzer/x509/X509.h"
 #include "types.bif.h"
+#include "net_util.h"
 
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
@@ -139,6 +140,35 @@ X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid)
 	return 0;
 	}
 
+// Convert hash algorithm registry numbers to the OpenSSL EVP_MD.
+// Mapping at https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+const EVP_MD* hash_to_evp(int hash)
+	{
+	switch ( hash )
+		{
+		case 1:
+			return EVP_md5();
+			break;
+		case 2:
+			return EVP_sha1();
+			break;
+		case 3:
+			return EVP_sha224();
+			break;
+		case 4:
+			return EVP_sha256();
+			break;
+		case 5:
+			return EVP_sha384();
+			break;
+		case 6:
+			return EVP_sha512();
+			break;
+		default:
+			return nullptr;
+		}
+	}
+
 %%}
 
 ## Parses a certificate into an X509::Certificate structure.
@@ -338,8 +368,11 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 		goto x509_ocsp_cleanup;
 		}
 
-	out = OCSP_basic_verify(basic, NULL, ctx, 0);
-	if ( result < 1 )
+	// We pass OCSP_NOVERIFY to let OCSP_basic_verify skip the chain verification.
+	// With that, it only verifies the signature of the basic response and we are responsible
+	// for the chain ourselves. We have to do that since we cannot get OCSP_basic_verify to use our timestamp.
+	out = OCSP_basic_verify(basic, NULL, ctx, OCSP_NOVERIFY);
+	if ( out < 1 )
 		{
 		rval = x509_result_record(out, ERR_error_string(ERR_get_error(),NULL));
 		goto x509_ocsp_cleanup;
@@ -452,7 +485,7 @@ x509_ocsp_cleanup:
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse
-##              x509_get_certificate_string x509_ocsp_verify
+##              x509_get_certificate_string x509_ocsp_verify sct_verify
 function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
 	%{
 	X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal());
@@ -539,3 +572,294 @@ x509_verify_chainerror:
 
 	return rrecord;
 	%}
+
+## Verifies a Signed Certificate Timestamp as used for Certificate Transparency.
+## See RFC6962 for more details.
+##
+## cert: Certificate against which the SCT should be validated.
+##
+## logid: Log id of the SCT.
+##
+## log_key: Public key of the Log that issued the SCT proof.
+##
+## timestamp: Timestamp at which the proof was generated.
+##
+## hash_algorithm: Hash algorithm that was used for the SCT proof.
+##
+## issuer_key_hash: The SHA-256 hash of the certificate issuer's public key.
+##                  This only has to be provided if the SCT was encountered in an X.509
+##                  certificate extension; in that case, it is necessary for validation.
+##
+## Returns: T if the validation could be performed succesfully, F otherwhise.
+##
+## .. bro:see:: ssl_extension_signed_certificate_timestamp
+##              x509_ocsp_ext_signed_certificate_timestamp
+##              x509_verify
+function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool
+	%{
+	assert(cert);
+	file_analysis::X509Val* h = (file_analysis::X509Val*) cert;
+	X509* x = ((file_analysis::X509Val*) h)->GetCertificate();
+
+	assert(sizeof(timestamp) >= 8);
+	uint64_t timestamp_network = htonll(timestamp);
+
+	bool precert = issuer_key_hash->Len() > 0;
+	if ( precert && issuer_key_hash->Len() != 32)
+		{
+		reporter->Error("Invalid issuer_key_hash length");
+		return new Val(0, TYPE_BOOL);
+		}
+
+	std::string data;
+	data.push_back(0); // version
+	data.push_back(0); // signature_type -> certificate_timestamp
+	data.append(reinterpret_cast<const char*>(&timestamp_network), sizeof(timestamp_network)); // timestamp -> 64 bits
+	if ( precert )
+		data.append("\0\1", 2); // entry-type: precert_entry
+	else
+		data.append("\0\0", 2); // entry-type: x509_entry
+
+	if ( precert )
+		{
+		x = X509_dup(x);
+		assert(x);
+		// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts.
+		// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
+		// look it up by performing a string comparison on the oid.
+#ifdef NID_ct_precert_scts
+		int pos = X509_get_ext_by_NID(x, NID_ct_precert_scts, -1);
+		if ( pos < 0 )
+			{
+			reporter->Error("NID_ct_precert_scts not found");
+			return new Val(0, TYPE_BOOL);
+			}
+#else
+		int num_ext = X509_get_ext_count(x);
+		int pos = -1;
+		for ( int k = 0; k < num_ext; ++k )
+			{
+			char oid[256];
+			X509_EXTENSION* ex = X509_get_ext(x, k);
+			ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
+			OBJ_obj2txt(oid, 255, ext_asn, 1);
+			if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 )
+				{
+				pos = k;
+				break;
+				}
+			}
+#endif
+		X509_EXTENSION_free(X509_delete_ext(x, pos));
+#ifdef NID_ct_precert_scts
+		assert( X509_get_ext_by_NID(x, NID_ct_precert_scts, -1) == -1 );
+#endif
+		}
+
+	unsigned char *cert_out = nullptr;
+	uint32 cert_length;
+	if ( precert )
+		{
+		// we also could use i2d_re_X509_tbs, for OpenSSL >= 1.0.2
+		x->cert_info->enc.modified = 1;
+		cert_length = i2d_X509_CINF(x->cert_info, &cert_out);
+		data.append(reinterpret_cast<const char*>(issuer_key_hash->Bytes()), issuer_key_hash->Len());
+		}
+	else
+		cert_length = i2d_X509(x, &cert_out);
+	assert( cert_out );
+	uint32 cert_length_network = htonl(cert_length);
+	assert( sizeof(cert_length_network) == 4);
+
+	data.append(reinterpret_cast<const char*>(&cert_length_network)+1, 3); // 3 bytes certificate length
+	data.append(reinterpret_cast<const char*>(cert_out), cert_length); // der-encoded certificate
+	OPENSSL_free(cert_out);
+	if ( precert )
+		X509_free(x);
+	data.append("\0\0", 2); // no extensions
+
+	// key is given as a DER-encoded SubjectPublicKeyInfo.
+	const unsigned char *key_char = log_key->Bytes();
+	EVP_PKEY* key = d2i_PUBKEY(nullptr, &key_char, log_key->Len());
+
+	EVP_MD_CTX *mdctx = EVP_MD_CTX_create();
+	assert(mdctx);
+
+	string errstr;
+	int success = 0;
+
+	const EVP_MD* hash = hash_to_evp(hash_algorithm);
+	if ( ! hash )
+		{
+		errstr = "Unknown hash algorithm";
+		goto sct_verify_err;
+		}
+
+	if ( ! key )
+		{
+		errstr = "Could not load log key";
+		goto sct_verify_err;
+		}
+
+	if ( ! EVP_DigestVerifyInit(mdctx, NULL, hash, NULL, key) )
+		{
+		errstr = "Could not init signature verification";
+		goto sct_verify_err;
+		}
+
+	if ( ! EVP_DigestVerifyUpdate(mdctx, data.data(), data.size()) )
+		{
+		errstr = "Could not update digest for verification";
+		goto sct_verify_err;
+		}
+
+#ifdef NID_ct_precert_scts
+	success = EVP_DigestVerifyFinal(mdctx, signature->Bytes(), signature->Len());
+#else
+	// older versions of OpenSSL use a non-const-char *sigh*
+	// I don't think they actually manipulate the value though.
+	// todo - this needs a cmake test
+	success = EVP_DigestVerifyFinal(mdctx, (unsigned char*) signature->Bytes(), signature->Len());
+#endif
+	EVP_MD_CTX_destroy(mdctx);
+	EVP_PKEY_free(key);
+
+	return new Val(success, TYPE_BOOL);
+
+sct_verify_err:
+	if (mdctx)
+		EVP_MD_CTX_destroy(mdctx);
+	if (key)
+		EVP_PKEY_free(key);
+
+	reporter->Error("%s", errstr.c_str());
+	return new Val(0, TYPE_BOOL);
+	%}
+
+
+%%{
+/**
+ * 0 -> subject name
+ * 1 -> issuer name
+ * 2 -> pubkey
+ */
+StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int hash_alg, unsigned int type)
+	{
+	assert(cert_handle);
+
+	if ( type > 2 )
+		{
+		reporter->InternalError("Unknown type in x509_entity_hash");
+		return nullptr;
+		}
+
+	X509 *cert_x509 = cert_handle->GetCertificate();
+	if ( cert_x509 == nullptr )
+		{
+		builtin_error("cannot get cert from opaque");
+		return nullptr;
+		}
+
+	X509_NAME *subject_name = X509_get_subject_name(cert_x509);
+	X509_NAME *issuer_name = X509_get_issuer_name(cert_x509);
+	if ( subject_name == nullptr || issuer_name == nullptr )
+		{
+		builtin_error("fail to get subject/issuer name from certificate");
+		return nullptr;
+		}
+
+	const EVP_MD *dgst = hash_to_evp(hash_alg);
+	if ( dgst == nullptr )
+		{
+		builtin_error("Unknown hash algorithm.");
+		return nullptr;
+		}
+
+	unsigned char md[EVP_MAX_MD_SIZE];
+	memset(md, 0, sizeof(md));
+	unsigned int len = 0;
+
+	int res = 0;
+
+	if ( type == 0 )
+		res = X509_NAME_digest(subject_name, dgst, md, &len);
+	else if ( type == 1 )
+		res = X509_NAME_digest(issuer_name, dgst, md, &len);
+	else if ( type == 2 )
+		{
+		unsigned char *spki = nullptr;
+		int pklen = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert_x509), &spki);
+		if ( ! pklen )
+			{
+			builtin_error("Could not get SPKI");
+			return nullptr;
+			}
+		res = EVP_Digest(spki, pklen, md, &len, dgst, nullptr);
+		OPENSSL_free(spki);
+		}
+
+	if ( ! res )
+		{
+		builtin_error("Could not perform hash");
+		return nullptr;
+		}
+
+	assert( len <= sizeof(md) );
+
+	return new StringVal(len, reinterpret_cast<const char*>(md));
+	}
+%%}
+
+## Get the hash of the subject's distinguished name.
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+##           https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+##
+## Returns: The hash as a string.
+##
+## .. bro:see:: x509_issuer_name_hash x509_spki_hash
+##              x509_verify sct_verify
+function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string
+	%{
+	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+
+	return x509_entity_hash(cert_handle, hash_alg, 0);
+	%}
+
+## Get the hash of the issuer's distinguished name.
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+##           https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+##
+## Returns: The hash as a string.
+##
+## .. bro:see:: x509_subject_name_hash x509_spki_hash
+##              x509_verify sct_verify
+function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string
+	%{
+	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+
+	return x509_entity_hash(cert_handle, hash_alg, 1);
+	%}
+
+## Get the hash of the Subject Public Key Information of the certificate.
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+##           https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+##
+## Returns: The hash as a string.
+##
+## .. bro:see:: x509_subject_name_hash x509_issuer_name_hash
+##              x509_verify sct_verify
+function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string
+	%{
+	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+
+	return x509_entity_hash(cert_handle, hash_alg, 2);
+	%}
diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif
new file mode 100644
index 0000000000..4e0ed6e9dc
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/ocsp_events.bif
@@ -0,0 +1,120 @@
+## Event that is raised when encountering an OCSP request, e.g. in an HTTP
+## connection. See :rfc:`6960` for more details.
+##
+## This event is raised exactly once for each OCSP Request.
+##
+## f: The file.
+##
+## req: version: the version of the OCSP request. Typically 0 (Version 1).
+##
+## requestorName: name of the OCSP requestor. This attribute is optional; if
+##                it is not set, an empty string is returned here.
+##
+## .. bro:see:: ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_request%(f: fa_file, version: count, requestorName: string%);
+
+## Event that is raised when encountering an OCSP request for a certificate,
+## e.g. in an HTTP connection. See :rfc:`6960` for more details.
+##
+## Note that a single OCSP request can contain requests for several certificates.
+## Thus this event can fire several times for one OCSP request, each time
+## requesting information for a different (or in theory even the same) certificate.
+##
+## f: The file.
+##
+## hashAlgorithm: The hash algorithm used for the issuerKeyHash.
+##
+## issuerKeyHash: Hash of the issuers public key.
+##
+## serialNumber: Serial number of the certificate for which the status is requested.
+##
+## .. bro:see:: ocsp_request ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string%);
+
+## This event is raised when encountering an OCSP reply, e.g. in an HTTP
+## connection or a TLS extension. See :rfc:`6960` for more details.
+##
+## This event is raised exactly once for each OCSP reply.
+##
+## f: The file.
+##
+## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate
+##              ocsp_response_bytes ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_response_status%(f: fa_file, status: string%);
+
+## This event is raised when encountering an OCSP response that contains response information.
+## An OCSP reply can be encountered, for example, in an HTTP connection or
+## a TLS extension. See :rfc:`6960` for more details on OCSP.
+##
+## f: The file.
+##
+## req_ref: An opaque pointer to the underlying OpenSSL data structure of the
+##          OCSP response.
+##
+## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
+##
+## version: Version of the OCSP response (typically - for version 1).
+##
+## responderId: The id of the OCSP responder; either a public key hash or a distinguished name.
+##
+## producedAt: Time at which the reply was produced.
+##
+## signatureAlgorithm: Algorithm used for the OCSP signature.
+##
+## certs: Optional list of certificates that are sent with the OCSP response; these typically
+##        are needed to perform validation of the reply.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%);
+
+## This event is raised for each SingleResponse contained in an OCSP response.
+## See :rfc:`6960` for more details on OCSP.
+##
+## f: The file.
+##
+## hashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash.
+##
+## issuerNameHash: Hash of the issuer's distinguished name.
+##
+## issuerKeyHash: Hash of the issuer's public key.
+##
+## serialNumber: Serial number of the affected certificate.
+##
+## certStatus: Status of the certificate.
+##
+## revokeTime: Time the certificate was revoked, 0 if not revoked.
+##
+## revokeTeason: Reason certificate was revoked; empty string if not revoked or not specified.
+##
+## thisUpdate: Time this response was generated.
+##
+## nextUpdate: Time next response will be ready; 0 if not supploed.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time%);
+
+## This event is raised when an OCSP extension is encountered in an OCSP response.
+## See :rfc:`6960` for more details on OCSP.
+##
+## f: The file.
+##
+## ext: The parsed extension (same format as X.509 extensions).
+##
+## global_resp: T if extension encountered in the global response (in ResponseData),
+##              F when encountered in a SingleResponse.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_extension%(f: fa_file, ext: X509::Extension, global_resp: bool%);
diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac
new file mode 100644
index 0000000000..396debbbbe
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/x509-extension.pac
@@ -0,0 +1,54 @@
+# Binpac analyzer for X.509 extensions
+# we just use it for the SignedCertificateTimestamp at the moment
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+#include "types.bif.h"
+#include "file_analysis/File.h"
+#include "events.bif.h"
+%}
+
+analyzer X509Extension withcontext {
+	connection: MockConnection;
+	flow:       SignedCertTimestampExt;
+};
+
+connection MockConnection(bro_analyzer: BroFileAnalyzer) {
+	upflow = SignedCertTimestampExt;
+	downflow = SignedCertTimestampExt;
+};
+
+%include x509-signed_certificate_timestamp.pac
+
+# The base record
+type HandshakeRecord() = record {
+	signed_certificate_timestamp_list: SignedCertificateTimestampList(this)[] &transient;
+} &byteorder = bigendian;
+
+flow SignedCertTimestampExt {
+	flowunit = HandshakeRecord withcontext(connection, this);
+};
+
+refine connection MockConnection += {
+
+	function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
+		%{
+		BifEvent::generate_x509_ocsp_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(),
+			bro_analyzer()->GetFile()->GetVal()->Ref(),
+			version,
+			new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
+			timestamp,
+			digitally_signed_algorithms->HashAlgorithm(),
+			digitally_signed_algorithms->SignatureAlgorithm(),
+			new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
+		);
+
+		return true;
+		%}
+};
+
+refine typeattr SignedCertificateTimestamp += &let {
+	proc : bool = $context.connection.proc_signedcertificatetimestamp(rec, version, logid, timestamp, digitally_signed_algorithms, digitally_signed_signature);
+};
diff --git a/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac
new file mode 120000
index 0000000000..88305ed8fd
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac
@@ -0,0 +1 @@
+../../../analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
\ No newline at end of file
diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index b84d822101..d029e38092 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -2380,7 +2380,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 		bro_int_t index = request_type->AsEnumType()->Lookup(module, var.c_str());
 		if ( index == -1 )
 			{
-			Warning(i, "Value not '%s' for stream '%s' is not a valid enum.",
+			Warning(i, "Value '%s' for stream '%s' is not a valid enum.",
 			                        enum_string.c_str(), i->name.c_str());
 
 			have_error = true;
diff --git a/src/input/Manager.h b/src/input/Manager.h
index e7a1ebe2d6..8296ce9f8b 100644
--- a/src/input/Manager.h
+++ b/src/input/Manager.h
@@ -240,7 +240,7 @@ private:
 
 	enum class ErrorType { INFO, WARNING, ERROR };
 	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...) __attribute__((format(printf, 5, 6)));
-	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap);
+	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap) __attribute__((format(printf, 5, 0)));
 
 	Stream* FindStream(const string &name);
 	Stream* FindStream(ReaderFrontend* reader);
diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc
index 8b609bda04..d9120b91ae 100644
--- a/src/input/readers/ascii/Ascii.cc
+++ b/src/input/readers/ascii/Ascii.cc
@@ -49,6 +49,9 @@ FieldMapping FieldMapping::subType()
 Ascii::Ascii(ReaderFrontend *frontend) : ReaderBackend(frontend)
 	{
 	mtime = 0;
+	suppress_warnings = false;
+	fail_on_file_problem = false;
+	fail_on_invalid_lines = false;
 	}
 
 Ascii::~Ascii()
@@ -61,6 +64,8 @@ void Ascii::DoClose()
 
 bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields)
 	{
+	suppress_warnings = false;
+
 	separator.assign( (const char*) BifConst::InputAscii::separator->Bytes(),
 	                 BifConst::InputAscii::separator->Len());
 
@@ -73,6 +78,9 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 	unset_field.assign( (const char*) BifConst::InputAscii::unset_field->Bytes(),
 	                   BifConst::InputAscii::unset_field->Len());
 
+	fail_on_invalid_lines = BifConst::InputAscii::fail_on_invalid_lines;
+	fail_on_file_problem = BifConst::InputAscii::fail_on_file_problem;
+
 	// Set per-filter configuration options.
 	for ( ReaderInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ )
 		{
@@ -87,6 +95,12 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 
 		else if ( strcmp(i->first, "unset_field") == 0 )
 			unset_field.assign(i->second);
+
+		else if ( strcmp(i->first, "fail_on_invalid_lines") == 0 )
+			fail_on_invalid_lines = (strncmp(i->second, "T", 1) == 0);
+
+		else if ( strcmp(i->first, "fail_on_file_problem") == 0 )
+			fail_on_file_problem = (strncmp(i->second, "T", 1) == 0);
 		}
 
 	if ( separator.size() != 1 )
@@ -98,26 +112,51 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 	formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field);
 	formatter = unique_ptr<threading::formatter::Formatter>(new formatter::Ascii(this, sep_info));
 
-	file.open(info.source);
+	return DoUpdate();
+	}
+
+void Ascii::FailWarn(bool is_error, const char *msg, bool suppress_future)
+	{
+	if ( is_error )
+		Error(msg);
+	else
+		{
+		// suppress error message when we are already in error mode.
+		// There is no reason to repeat it every second.
+		if ( ! suppress_warnings )
+			Warning(msg);
+
+		if ( suppress_future )
+			suppress_warnings = true;
+		}
+	}
+
+bool Ascii::OpenFile()
+	{
+	if ( file.is_open() )
+		return true;
+
+	file.open(Info().source);
+
 	if ( ! file.is_open() )
 		{
-		Error(Fmt("Init: cannot open %s", info.source));
-		return false;
+		FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", Info().source), true);
+
+		return ! fail_on_file_problem;
 		}
 
 	if ( ReadHeader(false) == false )
 		{
-		Error(Fmt("Init: cannot open %s; headers are incorrect", info.source));
+		FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s; problem reading file header", Info().source), true);
+
 		file.close();
-		return false;
+		return ! fail_on_file_problem;
 		}
 
-	DoUpdate();
-
+	suppress_warnings = false;
 	return true;
 	}
 
-
 bool Ascii::ReadHeader(bool useCached)
 	{
 	// try to read the header line...
@@ -128,7 +167,8 @@ bool Ascii::ReadHeader(bool useCached)
 		{
 		if ( ! GetLine(line) )
 			{
-			Error("could not read first line");
+			FailWarn(fail_on_file_problem, Fmt("Could not read input data file %s; first line could not be read",
+							 Info().source), true);
 			return false;
 			}
 
@@ -170,8 +210,9 @@ bool Ascii::ReadHeader(bool useCached)
 				continue;
 				}
 
-			Error(Fmt("Did not find requested field %s in input data file %s.",
-				  field->name, Info().source));
+			FailWarn(fail_on_file_problem, Fmt("Did not find requested field %s in input data file %s.",
+							 field->name, Info().source), true);
+
 			return false;
 			}
 
@@ -182,8 +223,9 @@ bool Ascii::ReadHeader(bool useCached)
 			map<string, uint32_t>::iterator fit2 = ifields.find(field->secondary_name);
 			if ( fit2 == ifields.end() )
 				{
-				Error(Fmt("Could not find requested port type field %s in input data file.",
-					  field->secondary_name));
+				FailWarn(fail_on_file_problem, Fmt("Could not find requested port type field %s in input data file.",
+								 field->secondary_name), true);
+
 				return false;
 				}
 
@@ -193,7 +235,6 @@ bool Ascii::ReadHeader(bool useCached)
 		columnMap.push_back(f);
 		}
 
-
 	// well, that seems to have worked...
 	return true;
 	}
@@ -224,6 +265,9 @@ bool Ascii::GetLine(string& str)
 // read the entire file and send appropriate thingies back to InputMgr
 bool Ascii::DoUpdate()
 	{
+	if ( ! OpenFile() )
+		return ! fail_on_file_problem;
+
 	switch ( Info().mode ) {
 		case MODE_REREAD:
 			{
@@ -231,8 +275,10 @@ bool Ascii::DoUpdate()
 			struct stat sb;
 			if ( stat(Info().source, &sb) == -1 )
 				{
-				Error(Fmt("Could not get stat for %s", Info().source));
-				return false;
+				FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", Info().source), true);
+
+				file.close();
+				return ! fail_on_file_problem;
 				}
 
 			if ( sb.st_mtime <= mtime ) // no change
@@ -254,8 +300,10 @@ bool Ascii::DoUpdate()
 				if ( Info().mode == MODE_STREAM )
 					{
 					file.clear(); // remove end of file evil bits
-					if ( !ReadHeader(true) )
-						return false; // header reading failed
+					if ( ! ReadHeader(true) )
+						{
+						return ! fail_on_file_problem; // header reading failed
+						}
 
 					break;
 					}
@@ -263,17 +311,7 @@ bool Ascii::DoUpdate()
 				file.close();
 				}
 
-			file.open(Info().source);
-			if ( ! file.is_open() )
-				{
-				Error(Fmt("cannot open %s", Info().source));
-				return false;
-				}
-
-			if ( ReadHeader(false) == false )
-				{
-				return false;
-				}
+			OpenFile();
 
 			break;
 			}
@@ -327,14 +365,23 @@ bool Ascii::DoUpdate()
 
 			if ( (*fit).position > pos || (*fit).secondary_position > pos )
 				{
-				Error(Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d",
-					  line.c_str(), pos,  (*fit).position, (*fit).secondary_position));
+				FailWarn(fail_on_invalid_lines, Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d",
+					  line.c_str(), pos, (*fit).position, (*fit).secondary_position));
 
-				for ( int i = 0; i < fpos; i++ )
-					delete fields[i];
+				if ( fail_on_invalid_lines )
+					{
+					for ( int i = 0; i < fpos; i++ )
+						delete fields[i];
 
-				delete [] fields;
-				return false;
+					delete [] fields;
+
+					return false;
+					}
+				else
+					{
+					error = true;
+					break;
+					}
 				}
 
 			Value* val = formatter->ParseValue(stringfields[(*fit).position], (*fit).name, (*fit).type, (*fit).subtype);
@@ -390,6 +437,9 @@ bool Ascii::DoUpdate()
 
 bool Ascii::DoHeartbeat(double network_time, double current_time)
 	{
+	if ( ! OpenFile() )
+		return ! fail_on_file_problem;
+
 	switch ( Info().mode )
 		{
 		case MODE_MANUAL:
diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h
index 20a459968d..7a7fa52590 100644
--- a/src/input/readers/ascii/Ascii.h
+++ b/src/input/readers/ascii/Ascii.h
@@ -55,6 +55,11 @@ protected:
 private:
 	bool ReadHeader(bool useCached);
 	bool GetLine(string& str);
+	bool OpenFile();
+	// Call Warning or Error, depending on the is_error boolean.
+	// In case of a warning, setting suppress_future to true will suppress all future warnings
+	// (by setting suppress_warnings to true, until suppress_warnings is set back to false)
+	void FailWarn(bool is_error, const char *msg, bool suppress_future = false);
 
 	ifstream file;
 	time_t mtime;
@@ -70,6 +75,12 @@ private:
 	string set_separator;
 	string empty_field;
 	string unset_field;
+	bool fail_on_invalid_lines;
+	bool fail_on_file_problem;
+
+	// this is an internal indicator in case the read is currently in a failed state
+	// it's used to suppress duplicate error messages.
+	bool suppress_warnings;
 
 	std::unique_ptr<threading::formatter::Formatter> formatter;
 };
diff --git a/src/input/readers/ascii/ascii.bif b/src/input/readers/ascii/ascii.bif
index 8bb3a96492..80ff4611e7 100644
--- a/src/input/readers/ascii/ascii.bif
+++ b/src/input/readers/ascii/ascii.bif
@@ -5,3 +5,5 @@ const separator: string;
 const set_separator: string;
 const empty_field: string;
 const unset_field: string;
+const fail_on_invalid_lines: bool;
+const fail_on_file_problem: bool;
diff --git a/src/input/readers/raw/Plugin.cc b/src/input/readers/raw/Plugin.cc
index c7af84e34e..e16a233fe6 100644
--- a/src/input/readers/raw/Plugin.cc
+++ b/src/input/readers/raw/Plugin.cc
@@ -8,7 +8,6 @@ using namespace plugin::Bro_RawReader;
 
 Plugin::Plugin()
 	{
-	init = false;
 	}
 
 plugin::Configuration Plugin::Configure()
@@ -23,21 +22,14 @@ plugin::Configuration Plugin::Configure()
 
 void Plugin::InitPreScript()
 	{
-	if ( pthread_mutex_init(&fork_mutex, 0) != 0 )
-		reporter->FatalError("cannot initialize raw reader's mutex");
-
-	init = true;
 	}
 
 void Plugin::Done()
 	{
-	pthread_mutex_destroy(&fork_mutex);
-	init = false;
 	}
 
-pthread_mutex_t* Plugin::ForkMutex()
+std::unique_lock<std::mutex> Plugin::ForkMutex()
 	{
-	assert(init);
-	return &fork_mutex;
+	return std::unique_lock<std::mutex>(fork_mutex, std::defer_lock);
 	}
 
diff --git a/src/input/readers/raw/Plugin.h b/src/input/readers/raw/Plugin.h
index 59a5dfd2be..8b7f9edc10 100644
--- a/src/input/readers/raw/Plugin.h
+++ b/src/input/readers/raw/Plugin.h
@@ -1,4 +1,6 @@
-// See the file  in the main distribution directory for copyright.
+// See the file in the main distribution directory for copyright.
+
+#include <mutex>
 
 #include "plugin/Plugin.h"
 
@@ -16,11 +18,10 @@ public:
 	virtual void InitPreScript();
 	virtual void Done();
 
-	pthread_mutex_t * ForkMutex();
+	std::unique_lock<std::mutex> ForkMutex();
 
 private:
-	bool init;
-	pthread_mutex_t fork_mutex;
+	std::mutex fork_mutex;
 
 };
 
diff --git a/src/input/readers/raw/Raw.cc b/src/input/readers/raw/Raw.cc
index cfa7b72602..ae1f0939a8 100644
--- a/src/input/readers/raw/Raw.cc
+++ b/src/input/readers/raw/Raw.cc
@@ -96,24 +96,21 @@ bool Raw::SetFDFlags(int fd, int cmd, int flags)
 	}
 
 
-bool Raw::LockForkMutex()
+std::unique_lock<std::mutex> Raw::AcquireForkMutex()
 	{
-	int res = pthread_mutex_lock(plugin::Bro_RawReader::plugin.ForkMutex());
-	if ( res == 0 )
-		return true;
+	auto lock = plugin::Bro_RawReader::plugin.ForkMutex();
 
-	Error(Fmt("cannot lock fork mutex: %d", res));
-	return false;
-	}
+	try
+		{
+		lock.lock();
+		}
 
-bool Raw::UnlockForkMutex()
-	{
-	int res = pthread_mutex_unlock(plugin::Bro_RawReader::plugin.ForkMutex());
-	if ( res == 0 )
-		return true;
+	catch ( const std::system_error& e )
+		{
+		reporter->FatalErrorWithCore("cannot lock fork mutex: %s", e.what());
+		}
 
-	Error(Fmt("cannot unlock fork mutex: %d", res));
-	return false;
+	return lock;
 	}
 
 bool Raw::Execute()
@@ -126,12 +123,10 @@ bool Raw::Execute()
 	// never crops up... ("never" meaning I haven't seen in it in
 	// hundreds of tests using 50+ threads where before I'd see the issue
 	// w/ just 2 threads ~33% of the time).
-	if ( ! LockForkMutex() )
-		return false;
+	auto lock = AcquireForkMutex();
 
 	if ( pipe(pipes) != 0 || pipe(pipes+2) || pipe(pipes+4) )
 		{
-		UnlockForkMutex();
 		Error(Fmt("Could not open pipe: %d", errno));
 		return false;
 		}
@@ -139,7 +134,6 @@ bool Raw::Execute()
 	childpid = fork();
 	if ( childpid < 0 )
 		{
-		UnlockForkMutex();
 		Error(Fmt("Could not create child process: %d", errno));
 		return false;
 		}
@@ -208,8 +202,7 @@ bool Raw::Execute()
 				}
 			}
 
-		if ( ! UnlockForkMutex() )
-			return false;
+		lock.unlock();
 
 		ClosePipeEnd(stdout_out);
 
diff --git a/src/input/readers/raw/Raw.h b/src/input/readers/raw/Raw.h
index 2a166ae322..ec50ade8fe 100644
--- a/src/input/readers/raw/Raw.h
+++ b/src/input/readers/raw/Raw.h
@@ -4,8 +4,8 @@
 #define INPUT_READERS_RAW_H
 
 #include <vector>
-#include <pthread.h>
 #include <memory>
+#include <mutex>
 
 #include "input/ReaderBackend.h"
 
@@ -37,8 +37,7 @@ protected:
 private:
 	void ClosePipeEnd(int i);
 	bool SetFDFlags(int fd, int cmd, int flags);
-	bool LockForkMutex();
-	bool UnlockForkMutex();
+	std::unique_lock<std::mutex> AcquireForkMutex();
 
 	bool OpenInput();
 	bool CloseInput();
@@ -87,7 +86,6 @@ private:
 	};
 
 	static const int block_size;
-	static pthread_mutex_t fork_mutex;
 };
 
 }
diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index 6b3bbe40f3..91bba76ba6 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -9,13 +9,14 @@ extern "C" {
 #elif defined(HAVE_SYS_ETHERNET_H)
 #include <sys/ethernet.h>
 #elif defined(HAVE_NETINET_IF_ETHER_H)
+#include <net/if_arp.h>
 #include <netinet/if_ether.h>
 #elif defined(HAVE_NET_ETHERTYPES_H)
 #include <net/ethertypes.h>
 #endif
 }
 
-void Packet::Init(int arg_link_type, struct timeval *arg_ts, uint32 arg_caplen,
+void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32 arg_caplen,
 		  uint32 arg_len, const u_char *arg_data, int arg_copy,
 		  std::string arg_tag)
 	{
@@ -588,7 +589,7 @@ static iosource::PktDumper* dump = 0;
 
 Packet* Packet::Unserialize(UnserialInfo* info)
 	{
-	struct timeval ts;
+	pkt_timeval ts;
 	uint32 len, link_type;
 
 	if ( ! (UNSERIALIZE((uint32 *)&ts.tv_sec) &&
diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h
index 5414e2ca0e..ec29f39ff5 100644
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@@ -5,6 +5,13 @@
 #include "IP.h"
 #include "NetVar.h"
 
+#if defined(__OpenBSD__)
+#include <net/bpf.h>
+typedef struct bpf_timeval pkt_timeval;
+#else
+typedef struct timeval pkt_timeval;
+#endif
+
 /**
  * The Layer 3 type of a packet, as determined by the parsing code in Packet.
  */
@@ -48,7 +55,7 @@ public:
 	 * @param tag A textual tag to associate with the packet for
 	 * differentiating the input streams.
 	 */
-	Packet(int link_type, struct timeval *ts, uint32 caplen,
+	Packet(int link_type, pkt_timeval *ts, uint32 caplen,
 	       uint32 len, const u_char *data, int copy = false,
 	       std::string tag = std::string(""))
 	           : data(0), l2_src(0), l2_dst(0)
@@ -61,7 +68,7 @@ public:
 	 */
 	Packet() : data(0), l2_src(0), l2_dst(0)
 		{
-		struct timeval ts = {0, 0};
+		pkt_timeval ts = {0, 0};
 		Init(0, &ts, 0, 0, 0);
 		}
 
@@ -96,7 +103,7 @@ public:
 	 * @param tag A textual tag to associate with the packet for
 	 * differentiating the input streams.
 	 */
-	void Init(int link_type, struct timeval *ts, uint32 caplen,
+	void Init(int link_type, pkt_timeval *ts, uint32 caplen,
 		uint32 len, const u_char *data, int copy = false,
 		std::string tag = std::string(""));
 
@@ -155,7 +162,7 @@ public:
 	// These are passed in through the constructor.
 	std::string tag;		/// Used in serialization
 	double time;			/// Timestamp reconstituted as float
-	struct timeval ts;		/// Capture timestamp
+	pkt_timeval ts;			/// Capture timestamp
 	const u_char* data;		/// Packet data.
 	uint32 len;			/// Actual length on wire
 	uint32 cap_len;			/// Captured packet length
diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index e1a314d4d6..66a275736a 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -15,6 +15,8 @@
 #include "WriterFrontend.h"
 #include "WriterBackend.h"
 #include "logging.bif.h"
+#include "../plugin/Plugin.h"
+#include "../plugin/Manager.h"
 
 #ifdef ENABLE_BROKER
 #include "broker/Manager.h"
@@ -62,6 +64,7 @@ struct Manager::WriterInfo {
 	WriterFrontend* writer;
 	WriterBackend::WriterInfo* info;
 	bool from_remote;
+	bool hook_initialized;
 	string instantiating_filter;
 	};
 
@@ -840,12 +843,26 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 			path = filter->path = filter->path_val->AsString()->CheckString();
 			}
 
+		WriterBackend::WriterInfo* info = 0;
 		WriterFrontend* writer = 0;
 
 		if ( w != stream->writers.end() )
 			{
 			// We know this writer already.
 			writer = w->second->writer;
+			info = w->second->info;
+
+			if ( ! w->second->hook_initialized )
+				{
+				auto wi = w->second;
+				wi->hook_initialized = true;
+				PLUGIN_HOOK_VOID(HOOK_LOG_INIT,
+				                 HookLogInit(filter->writer->Type()->AsEnumType()->Lookup(filter->writer->InternalInt()),
+				                             wi->instantiating_filter, filter->local,
+				                             filter->remote, *wi->info,
+				                             filter->num_fields,
+				                             filter->fields));
+				}
 			}
 
 		else
@@ -874,7 +891,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 				arg_fields[j] = new threading::Field(*filter->fields[j]);
 				}
 
-			WriterBackend::WriterInfo* info = new WriterBackend::WriterInfo;
+			info = new WriterBackend::WriterInfo;
 			info->path = copy_string(path.c_str());
 			info->network_time = network_time;
 
@@ -909,6 +926,22 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 
 		threading::Value** vals = RecordToFilterVals(stream, filter, columns);
 
+		if ( ! PLUGIN_HOOK_WITH_RESULT(HOOK_LOG_WRITE,
+		                               HookLogWrite(filter->writer->Type()->AsEnumType()->Lookup(filter->writer->InternalInt()),
+		                                            filter->name, *info,
+		                                            filter->num_fields,
+		                                            filter->fields, vals),
+		                               true) )
+			{
+			DeleteVals(filter->num_fields, vals);
+
+#ifdef DEBUG
+			DBG_LOG(DBG_LOGGING, "Hook prevented writing to filter '%s' on stream '%s'",
+				filter->name.c_str(), stream->name.c_str());
+#endif
+			return true;
+			}
+
 		// Write takes ownership of vals.
 		assert(writer);
 		writer->Write(filter->num_fields, vals);
@@ -919,12 +952,6 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 #endif
 		}
 
-#ifdef ENABLE_BROKER
-	if ( stream->enable_remote &&
-	     ! broker_mgr->Log(id, columns, stream->columns, stream->remote_flags) )
-			stream->enable_remote = false;
-#endif
-
 	Unref(columns);
 
 	return true;
@@ -1121,23 +1148,46 @@ threading::Value** Manager::RecordToFilterVals(Stream* stream, Filter* filter,
 	return vals;
 	}
 
+bool Manager::CreateWriterForRemoteLog(EnumVal* id, EnumVal* writer, WriterBackend::WriterInfo* info,
+			   int num_fields, const threading::Field* const* fields)
+	{
+	return CreateWriter(id, writer, info, num_fields, fields, true, false, true);
+	}
+
+static void delete_info_and_fields(WriterBackend::WriterInfo* info, int num_fields, const threading::Field* const* fields)
+	{
+	for ( int i = 0; i < num_fields; i++ )
+		delete fields[i];
+
+	delete [] fields;
+	delete info;
+	}
+
 WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBackend::WriterInfo* info,
-				int num_fields, const threading::Field* const*  fields, bool local, bool remote, bool from_remote,
+				int num_fields, const threading::Field* const* fields, bool local, bool remote, bool from_remote,
 				const string& instantiating_filter)
 	{
+	WriterFrontend* result = 0;
+
 	Stream* stream = FindStream(id);
 
 	if ( ! stream )
+		{
 		// Don't know this stream.
+		delete_info_and_fields(info, num_fields, fields);
 		return 0;
+		}
 
 	Stream::WriterMap::iterator w =
 		stream->writers.find(Stream::WriterPathPair(writer->AsEnum(), info->path));
 
 	if ( w != stream->writers.end() )
+		{
 		// If we already have a writer for this. That's fine, we just
 		// return it.
+		delete_info_and_fields(info, num_fields, fields);
 		return w->second->writer;
+		}
 
 	WriterInfo* winfo = new WriterInfo;
 	winfo->type = writer->Ref()->AsEnumVal();
@@ -1148,6 +1198,7 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken
 	winfo->postprocessor = 0;
 	winfo->info = info;
 	winfo->from_remote = from_remote;
+	winfo->hook_initialized = false;
 	winfo->instantiating_filter = instantiating_filter;
 
 	// Search for a corresponding filter for the writer/path pair and use its
@@ -1190,9 +1241,22 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken
 	winfo->info->rotation_interval = winfo->interval;
 	winfo->info->rotation_base = parse_rotate_base_time(base_time);
 
-	winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote);
+#ifdef ENABLE_BROKER
+	winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote, stream->remote_flags);
+#else
+	winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote, 0);
+#endif
 	winfo->writer->Init(num_fields, fields);
 
+	if ( ! from_remote )
+		{
+		winfo->hook_initialized = true;
+		PLUGIN_HOOK_VOID(HOOK_LOG_INIT,
+		                 HookLogInit(writer->Type()->AsEnumType()->Lookup(writer->InternalInt()),
+		                             instantiating_filter, local, remote,
+		                             *winfo->info, num_fields, fields));
+		}
+
 	InstallRotationTimer(winfo);
 
 	return winfo->writer;
@@ -1207,8 +1271,8 @@ void Manager::DeleteVals(int num_fields, threading::Value** vals)
 	delete [] vals;
 	}
 
-bool Manager::Write(EnumVal* id, EnumVal* writer, string path, int num_fields,
-		   threading::Value** vals)
+bool Manager::WriteFromRemote(EnumVal* id, EnumVal* writer, string path, int num_fields,
+			      threading::Value** vals)
 	{
 	Stream* stream = FindStream(id);
 
@@ -1280,6 +1344,34 @@ void Manager::SendAllWritersTo(RemoteSerializer::PeerID peer)
 		}
 	}
 
+void Manager::SendAllWritersTo(const string& peer)
+	{
+#ifdef ENABLE_BROKER
+	for ( vector<Stream *>::iterator s = streams.begin(); s != streams.end(); ++s )
+		{
+		Stream* stream = (*s);
+
+		if ( ! stream )
+			continue;
+
+		for ( Stream::WriterMap::iterator i = stream->writers.begin();
+		      i != stream->writers.end(); i++ )
+			{
+			WriterFrontend* writer = i->second->writer;
+
+			EnumVal writer_val(i->first.first, internal_type("Log::Writer")->AsEnumType());
+			broker_mgr->CreateLog((*s)->id,
+					      &writer_val,
+					      *i->second->info,
+					      writer->NumFields(),
+					      writer->Fields(),
+					      stream->remote_flags,
+					      peer);
+			}
+		}
+#endif
+	}
+
 bool Manager::SetBuf(EnumVal* id, bool enabled)
 	{
 	Stream* stream = FindStream(id);
diff --git a/src/logging/Manager.h b/src/logging/Manager.h
index 5d3372fb9b..56626f39d3 100644
--- a/src/logging/Manager.h
+++ b/src/logging/Manager.h
@@ -129,6 +129,52 @@ public:
 	 */
 	bool Write(EnumVal* id, RecordVal* columns);
 
+	/**
+	 * Create a new log writer frontend. This is exposed so that the
+	 * communication system can recreate remote log streams locally.
+	 *
+	 * @param id The enum value corresponding to the log stream.
+	 *
+	 * @param writer The enum value corresponding to the desired log writer.
+	 *
+	 * @param info A fully initialized object defining the
+	 * characteristics of the backend writer instance. The method takes
+	 * ownership of this.
+	 *
+	 * @param num_fields The number of log fields to write.
+	 *
+	 * @param vals An array of log fields to write, of size num_fields.
+	 * The method takes ownership of the array.
+	 *
+	 * @return Returns true if the writer was successfully created.
+	 */
+	bool CreateWriterForRemoteLog(EnumVal* id, EnumVal* writer, WriterBackend::WriterInfo* info,
+				      int num_fields, const threading::Field* const* fields);
+
+	/**
+	 * Writes out log entries that have already passed through all
+	 * filters (and have raised any events). This is meant called for logs
+	 * received already processed from remote.
+	 *
+	 * @param stream The enum value corresponding to the log stream.
+	 *
+	 * @param writer The enum value corresponding to the desired log writer.
+	 *
+	 * @param path The path of the target log stream to write to.
+	 *
+	 * @param num_fields The number of log values to write.
+	 *
+	 * @param vals An array of log values to write, of size num_fields.
+	 * The method takes ownership of the array.
+	 */
+	bool WriteFromRemote(EnumVal* stream, EnumVal* writer, string path,
+			     int num_fields, threading::Value** vals);
+
+	/**
+	 * Announces all instantiated writers to a given Broker peer.
+	 */
+	void SendAllWritersTo(const string& peer);
+
 	/**
 	 * Sets log streams buffering state. This adjusts all associated
 	 * writers to the new state.
@@ -203,10 +249,6 @@ protected:
 				int num_fields, const threading::Field* const* fields,
 				bool local, bool remote, bool from_remote, const string& instantiating_filter="");
 
-	// Takes ownership of values..
-	bool Write(EnumVal* id, EnumVal* writer, string path,
-		   int num_fields, threading::Value** vals);
-
 	// Announces all instantiated writers to peer.
 	void SendAllWritersTo(RemoteSerializer::PeerID peer);
 
diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc
index 3e868f067a..ebf5165169 100644
--- a/src/logging/WriterBackend.cc
+++ b/src/logging/WriterBackend.cc
@@ -119,6 +119,65 @@ bool WriterBackend::WriterInfo::Write(SerializationFormat* fmt) const
 	return true;
 	}
 
+#ifdef ENABLE_BROKER
+broker::data WriterBackend::WriterInfo::ToBroker() const
+	{
+	auto bpath = broker::record::field(path);
+	auto brotation_base = broker::record::field(rotation_base);
+	auto brotation_interval = broker::record::field(rotation_interval);
+	auto bnetwork_time = broker::record::field(network_time);
+
+	auto t = broker::table();
+
+	for ( config_map::const_iterator i = config.begin(); i != config.end(); ++i )
+		{
+		auto key = std::string(i->first);
+		auto value = std::string(i->second);
+		t.insert(std::make_pair(key, value));
+		}
+
+	auto bconfig = broker::record::field(move(t));
+
+	return move(broker::record({bpath, brotation_base, brotation_interval, bnetwork_time, bconfig}));
+	}
+
+bool WriterBackend::WriterInfo::FromBroker(broker::data d)
+	{
+	auto r = broker::get<broker::record>(d);
+
+	if ( ! r )
+		return false;
+
+	auto bpath = broker::get<std::string>(*r->get(0));
+	auto brotation_base = broker::get<double>(*r->get(1));
+	auto brotation_interval = broker::get<double>(*r->get(2));
+	auto bnetwork_time = broker::get<double>(*r->get(3));
+	auto bconfig = broker::get<broker::table>(*r->get(4));
+
+	if ( ! (bpath && brotation_base && brotation_interval && bnetwork_time && bconfig) )
+		return false;
+
+	path = copy_string(bpath->c_str());
+	rotation_base = *brotation_base;
+	rotation_interval = *brotation_interval;
+	network_time = *bnetwork_time;
+
+	for ( auto i : *bconfig )
+		{
+		auto k = broker::get<std::string>(i.first);
+		auto v = broker::get<std::string>(i.second);
+
+		if ( ! (k && v) )
+			return false;
+
+		auto p = std::make_pair(copy_string(k->c_str()), copy_string(v->c_str()));
+		config.insert(p);
+		}
+
+	return true;
+	}
+#endif
+
 WriterBackend::WriterBackend(WriterFrontend* arg_frontend) : MsgThread()
 	{
 	num_fields = 0;
diff --git a/src/logging/WriterBackend.h b/src/logging/WriterBackend.h
index 2a93e8fefc..f6602cc8ca 100644
--- a/src/logging/WriterBackend.h
+++ b/src/logging/WriterBackend.h
@@ -7,6 +7,10 @@
 
 #include "threading/MsgThread.h"
 
+#ifdef ENABLE_BROKER
+#include "broker/Data.h"
+#endif
+
 #include "Component.h"
 
 class RemoteSerializer;
@@ -110,15 +114,18 @@ public:
 				}
 			}
 
-		private:
-		const WriterInfo& operator=(const WriterInfo& other); // Disable.
-
-		friend class ::RemoteSerializer;
-
 		// Note, these need to be adapted when changing the struct's
 		// fields. They serialize/deserialize the struct.
 		bool Read(SerializationFormat* fmt);
 		bool Write(SerializationFormat* fmt) const;
+
+#ifdef ENABLE_BROKER
+		broker::data ToBroker() const;
+		bool FromBroker(broker::data d);
+#endif
+
+		private:
+		const WriterInfo& operator=(const WriterInfo& other); // Disable.
 		};
 
 	/**
diff --git a/src/logging/WriterFrontend.cc b/src/logging/WriterFrontend.cc
index 14e131c755..0c2378890f 100644
--- a/src/logging/WriterFrontend.cc
+++ b/src/logging/WriterFrontend.cc
@@ -2,6 +2,10 @@
 #include "Net.h"
 #include "threading/SerialTypes.h"
 
+#ifdef ENABLE_BROKER
+#include "broker/Manager.h"
+#endif
+
 #include "Manager.h"
 #include "WriterFrontend.h"
 #include "WriterBackend.h"
@@ -97,7 +101,7 @@ private:
 
 using namespace logging;
 
-WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVal* arg_stream, EnumVal* arg_writer, bool arg_local, bool arg_remote)
+WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVal* arg_stream, EnumVal* arg_writer, bool arg_local, bool arg_remote, int arg_remote_flags)
 	{
 	stream = arg_stream;
 	writer = arg_writer;
@@ -108,6 +112,7 @@ WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVa
 	buf = true;
 	local = arg_local;
 	remote = arg_remote;
+	remote_flags = arg_remote_flags;
 	write_buffer = 0;
 	write_buffer_pos = 0;
 	info = new WriterBackend::WriterInfo(arg_info);
@@ -167,12 +172,23 @@ void WriterFrontend::Init(int arg_num_fields, const Field* const * arg_fields)
 		backend->SendIn(new InitMessage(backend, arg_num_fields, arg_fields));
 
 	if ( remote )
+		{
 		remote_serializer->SendLogCreateWriter(stream,
 						       writer,
 						       *info,
 						       arg_num_fields,
 						       arg_fields);
 
+#ifdef ENABLE_BROKER
+		broker_mgr->CreateLog(stream,
+				      writer,
+				      *info,
+				      arg_num_fields,
+				      arg_fields,
+				      remote_flags);
+#endif
+		}
+
 	}
 
 void WriterFrontend::Write(int arg_num_fields, Value** vals)
@@ -191,12 +207,23 @@ void WriterFrontend::Write(int arg_num_fields, Value** vals)
 		}
 
 	if ( remote )
+		{
 		remote_serializer->SendLogWrite(stream,
 						writer,
 						info->path,
 						num_fields,
 						vals);
 
+#ifdef ENABLE_BROKER
+		broker_mgr->Log(stream,
+				writer,
+				info->path,
+				num_fields,
+				vals,
+				remote_flags);
+#endif
+		}
+
 	if ( ! backend )
 		{
 		DeleteVals(arg_num_fields, vals);
diff --git a/src/logging/WriterFrontend.h b/src/logging/WriterFrontend.h
index e343f326bf..ae37613261 100644
--- a/src/logging/WriterFrontend.h
+++ b/src/logging/WriterFrontend.h
@@ -34,16 +34,17 @@ public:
 	 *
 	 * info: The meta information struct for the writer.
 	 *
-	 * writer_name: A descriptive name for the writer's type.
-	 *
 	 * local: If true, the writer will instantiate a local backend.
 	 *
-	 * remote: If true, the writer will forward all data to remote
+	 * remote: If true, the writer will forward logs to remote
 	 * clients.
 	 *
+	 * remote_flags: Broker flags controlling where remote logs are
+	 * propagated to.
+	 *
 	 * Frontends must only be instantiated by the main thread.
 	 */
-	WriterFrontend(const WriterBackend::WriterInfo& info, EnumVal* stream, EnumVal* writer, bool local, bool remote);
+	WriterFrontend(const WriterBackend::WriterInfo& info, EnumVal* stream, EnumVal* writer, bool local, bool remote, int remote_flags);
 
 	/**
 	 * Destructor.
@@ -214,6 +215,7 @@ protected:
 	bool buf;	// True if buffering is enabled (default).
 	bool local;	// True if logging locally.
 	bool remote;	// True if loggin remotely.
+	int remote_flags;	// Broker propagation flags.
 
 	const char* name;	// Descriptive name of the
 	WriterBackend::WriterInfo* info;	// The writer information.
diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc
index d6f5daa7e7..dec1689df4 100644
--- a/src/logging/writers/ascii/Ascii.cc
+++ b/src/logging/writers/ascii/Ascii.cc
@@ -24,6 +24,8 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend)
 	tsv = false;
 	use_json = false;
 	formatter = 0;
+	gzip_level = 0;
+	gzfile = nullptr;
 
 	InitConfigOptions();
 	init_options = InitFilterOptions();
@@ -34,6 +36,7 @@ void Ascii::InitConfigOptions()
 	output_to_stdout = BifConst::LogAscii::output_to_stdout;
 	include_meta = BifConst::LogAscii::include_meta;
 	use_json = BifConst::LogAscii::use_json;
+	gzip_level = BifConst::LogAscii::gzip_level;
 
 	separator.assign(
 			(const char*) BifConst::LogAscii::separator->Bytes(),
@@ -89,6 +92,16 @@ bool Ascii::InitFilterOptions()
 				}
 			}
 
+		else if ( strcmp(i->first, "gzip_level" ) == 0 )
+			{
+			gzip_level = atoi(i->second);
+
+			if ( gzip_level < 0 || gzip_level > 9 )
+				{
+				Error("invalid value for 'gzip_level', must be a number between 0 and 9.");
+				return false;
+				}
+			}
 		else if ( strcmp(i->first, "use_json") == 0 )
 			{
 			if ( strcmp(i->second, "T") == 0 )
@@ -192,7 +205,7 @@ bool Ascii::WriteHeaderField(const string& key, const string& val)
 	{
 	string str = meta_prefix + key + separator + val + "\n";
 
-	return safe_write(fd, str.c_str(), str.length());
+	return InternalWrite(fd, str.c_str(), str.length());
 	}
 
 void Ascii::CloseFile(double t)
@@ -203,8 +216,9 @@ void Ascii::CloseFile(double t)
 	if ( include_meta && ! tsv )
 		WriteHeaderField("close", Timestamp(0));
 
-	safe_close(fd);
+	InternalClose(fd);
 	fd = 0;
+	gzfile = nullptr;
 	}
 
 bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const * fields)
@@ -219,7 +233,8 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 	if ( output_to_stdout )
 		path = "/dev/stdout";
 
-	fname = IsSpecial(path) ? path : path + "." + LogExt();
+	fname = IsSpecial(path) ? path : path + "." + LogExt() +
+	                          (gzip_level > 0 ? ".gz" : "");
 
 	fd = open(fname.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0666);
 
@@ -231,6 +246,31 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 		return false;
 		}
 
+	if ( gzip_level > 0 )
+		{
+		if ( gzip_level < 0 || gzip_level > 9 )
+			{
+			Error("invalid value for 'gzip_level', must be a number between 0 and 9.");
+			return false;
+			}
+
+		char mode[4];
+		snprintf(mode, sizeof(mode), "wb%d", gzip_level);
+		errno = 0; // errno will only be set under certain circumstances by gzdopen.
+		gzfile = gzdopen(fd, mode);
+
+		if ( gzfile == nullptr )
+			{
+			Error(Fmt("cannot gzip %s: %s", fname.c_str(),
+			                                Strerror(errno)));
+			return false;
+			}
+		}
+	else
+		{
+		gzfile = nullptr;
+		}
+
 	if ( ! WriteHeader(path) )
 		{
 		Error(Fmt("error writing to %s: %s", fname.c_str(), Strerror(errno)));
@@ -264,7 +304,7 @@ bool Ascii::WriteHeader(const string& path)
 		{
 		// A single TSV-style line is all we need.
 		string str = names + "\n";
-		if ( ! safe_write(fd, str.c_str(), str.length()) )
+		if ( ! InternalWrite(fd, str.c_str(), str.length()) )
 			return false;
 
 		return true;
@@ -275,7 +315,7 @@ bool Ascii::WriteHeader(const string& path)
 		+ get_escaped_string(separator, false)
 		+ "\n";
 
-	if ( ! safe_write(fd, str.c_str(), str.length()) )
+	if ( ! InternalWrite(fd, str.c_str(), str.length()) )
 		return false;
 
 	if ( ! (WriteHeaderField("set_separator", get_escaped_string(set_separator, false)) &&
@@ -337,14 +377,14 @@ bool Ascii::DoWrite(int num_fields, const Field* const * fields,
 		char hex[4] = {'\\', 'x', '0', '0'};
 		bytetohex(bytes[0], hex + 2);
 
-		if ( ! safe_write(fd, hex, 4) )
+		if ( ! InternalWrite(fd, hex, 4) )
 			goto write_error;
 
 		++bytes;
 		--len;
 		}
 
-	if ( ! safe_write(fd, bytes, len) )
+	if ( ! InternalWrite(fd, bytes, len) )
 		goto write_error;
 
         if ( ! IsBuf() )
@@ -368,7 +408,8 @@ bool Ascii::DoRotate(const char* rotated_path, double open, double close, bool t
 
 	CloseFile(close);
 
-	string nname = string(rotated_path) + "." + LogExt();
+	string nname = string(rotated_path) + "." + LogExt() +
+	               (gzip_level > 0 ? ".gz" : "");
 
 	if ( rename(fname.c_str(), nname.c_str()) != 0 )
 		{
@@ -434,4 +475,58 @@ string Ascii::Timestamp(double t)
 	return tmp;
 	}
 
+bool Ascii::InternalWrite(int fd, const char* data, int len)
+	{
+	if ( ! gzfile )
+		return safe_write(fd, data, len);
+
+	while ( len > 0 )
+		{
+		int n = gzwrite(gzfile, data, len);
+
+		if ( n <= 0 )
+			{
+			const char* err = gzerror(gzfile, &n);
+			Error(Fmt("Ascii::InternalWrite error: %s\n", err));
+			return false;
+			}
+
+		data += n;
+		len -= n;
+		}
+
+	return true;
+	}
+
+bool Ascii::InternalClose(int fd)
+	{
+	if ( ! gzfile )
+		{
+		safe_close(fd);
+		return true;
+		}
+
+	int res = gzclose(gzfile);
+
+	if ( res == Z_OK )
+		return true;
+
+	switch ( res ) {
+	case Z_STREAM_ERROR:
+		Error("Ascii::InternalClose gzclose error: invalid file stream");
+		break;
+	case Z_BUF_ERROR:
+		Error("Ascii::InternalClose gzclose error: "
+		      "no compression progress possible during buffer flush");
+		break;
+	case Z_ERRNO:
+		Error(Fmt("Ascii::InternalClose gzclose error: %s\n", Strerror(errno)));
+		break;
+	default:
+		Error("Ascii::InternalClose invalid gzclose result");
+		break;
+	}
+
+	return false;
+	}
 
diff --git a/src/logging/writers/ascii/Ascii.h b/src/logging/writers/ascii/Ascii.h
index 8648070111..eabeda4242 100644
--- a/src/logging/writers/ascii/Ascii.h
+++ b/src/logging/writers/ascii/Ascii.h
@@ -8,6 +8,7 @@
 #include "logging/WriterBackend.h"
 #include "threading/formatters/Ascii.h"
 #include "threading/formatters/JSON.h"
+#include "zlib.h"
 
 namespace logging { namespace writer {
 
@@ -42,8 +43,11 @@ private:
 	void InitConfigOptions();
 	bool InitFilterOptions();
 	bool InitFormatter();
+	bool InternalWrite(int fd, const char* data, int len);
+	bool InternalClose(int fd);
 
 	int fd;
+	gzFile gzfile;
 	string fname;
 	ODesc desc;
 	bool ascii_done;
@@ -59,6 +63,7 @@ private:
 	string unset_field;
 	string meta_prefix;
 
+	int gzip_level; // level > 0 enables gzip compression
 	bool use_json;
 	string json_timestamps;
 
diff --git a/src/logging/writers/ascii/ascii.bif b/src/logging/writers/ascii/ascii.bif
index 2817511152..b12b14f1a0 100644
--- a/src/logging/writers/ascii/ascii.bif
+++ b/src/logging/writers/ascii/ascii.bif
@@ -12,3 +12,4 @@ const empty_field: string;
 const unset_field: string;
 const use_json: bool;
 const json_timestamps: JSON::TimestampFormat;
+const gzip_level: count;
diff --git a/src/main.cc b/src/main.cc
index 55636a9496..0ca39e9e2d 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -129,6 +129,7 @@ OpaqueType* cardinality_type = 0;
 OpaqueType* topk_type = 0;
 OpaqueType* bloomfilter_type = 0;
 OpaqueType* x509_opaque_type = 0;
+OpaqueType* ocsp_resp_opaque_type = 0;
 
 // Keep copy of command line
 int bro_argc;
@@ -595,7 +596,7 @@ int main(int argc, char** argv)
 			break;
 
 		case 'v':
-			fprintf(stderr, "%s version %s\n", prog, bro_version());
+			fprintf(stdout, "%s version %s\n", prog, bro_version());
 			exit(0);
 			break;
 
@@ -839,6 +840,7 @@ int main(int argc, char** argv)
 	topk_type = new OpaqueType("topk");
 	bloomfilter_type = new OpaqueType("bloomfilter");
 	x509_opaque_type = new OpaqueType("x509");
+	ocsp_resp_opaque_type = new OpaqueType("ocsp_resp");
 
 	// The leak-checker tends to produce some false
 	// positives (memory which had already been
diff --git a/src/module_util.cc b/src/module_util.cc
index d9aa1af645..d5817a7d7a 100644
--- a/src/module_util.cc
+++ b/src/module_util.cc
@@ -52,7 +52,12 @@ string make_full_var_name(const char* module_name, const char* var_name)
 	{
 	if ( ! module_name || streq(module_name, GLOBAL_MODULE_NAME) ||
 	     strstr(var_name, "::") )
+		{
+		if ( streq(GLOBAL_MODULE_NAME, extract_module_name(var_name).c_str()) )
+			return extract_var_name(var_name);
+
 		return string(var_name);
+		}
 
 	string full_name = normalized_module_name(module_name);
 	full_name += "::";
diff --git a/src/net_util.cc b/src/net_util.cc
index 677a869cc5..9f93296d39 100644
--- a/src/net_util.cc
+++ b/src/net_util.cc
@@ -18,13 +18,16 @@
 // Returns the ones-complement checksum of a chunk of b short-aligned bytes.
 int ones_complement_checksum(const void* p, int b, uint32 sum)
 	{
-	const u_short* sp = (u_short*) p;	// better be aligned!
+	const unsigned char* sp = (unsigned char*) p;
 
 	b /= 2;	// convert to count of short's
 
 	/* No need for endian conversions. */
 	while ( --b >= 0 )
-		sum += *sp++;
+		{
+		sum += *sp + (*(sp+1) << 8);
+		sp += 2;
+		}
 
 	while ( sum > 0xffff )
 		sum = (sum & 0xffff) + (sum >> 16);
diff --git a/src/patricia.c b/src/patricia.c
index 5ec6e2a27c..9d18adf14c 100644
--- a/src/patricia.c
+++ b/src/patricia.c
@@ -64,6 +64,7 @@ static char copyright[] =
 #include <stdio.h> /* sprintf, fprintf, stderr */
 #include <stdlib.h> /* free, atol, calloc */
 #include <string.h> /* memcpy, strchr, strlen */
+#include <netinet/in.h> /* for struct in_addr */
 #include <arpa/inet.h> /* for inet_addr */
 #include <sys/types.h> /* for u_short, etc. */
 #include <stdbool.h>
diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index c672614957..a6c564d4f2 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -243,10 +243,6 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 
 			plugins_by_path.insert(std::make_pair(normalize_path(dir), current_plugin));
 
-			if ( current_plugin->APIVersion() != BRO_PLUGIN_API_VERSION )
-				reporter->FatalError("plugin's API version does not match Bro (expected %d, got %d in %s)",
-						     BRO_PLUGIN_API_VERSION, current_plugin->APIVersion(), path);
-
 			// We execute the pre-script initialization here; this in
 			// fact could be *during* script initialization if we got
 			// triggered via @load-plugin.
@@ -712,7 +708,7 @@ void Manager::HookSetupAnalyzerTree(Connection *conn) const
 
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
-		args.push_back(conn);
+		args.push_back(HookArgument(conn));
 		MetaHookPre(HOOK_SETUP_ANALYZER_TREE, args);
 		}
 
@@ -739,7 +735,7 @@ void Manager::HookUpdateNetworkTime(double network_time) const
 
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
-		args.push_back(network_time);
+		args.push_back(HookArgument(network_time));
 		MetaHookPre(HOOK_UPDATE_NETWORK_TIME, args);
 		}
 
@@ -762,7 +758,7 @@ void Manager::HookBroObjDtor(void* obj) const
 
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
-		args.push_back(obj);
+		args.push_back(HookArgument(obj));
 		MetaHookPre(HOOK_BRO_OBJ_DTOR, args);
 		}
 
@@ -779,6 +775,84 @@ void Manager::HookBroObjDtor(void* obj) const
 		MetaHookPost(HOOK_BRO_OBJ_DTOR, args, HookArgument());
 	}
 
+void Manager::HookLogInit(const std::string& writer,
+                          const std::string& instantiating_filter,
+                          bool local, bool remote,
+                          const logging::WriterBackend::WriterInfo& info,
+                          int num_fields,
+                          const threading::Field* const* fields) const
+	{
+	HookArgumentList args;
+
+	if ( HavePluginForHook(META_HOOK_PRE) )
+		{
+		args.push_back(HookArgument(writer));
+		args.push_back(HookArgument(instantiating_filter));
+		args.push_back(HookArgument(local));
+		args.push_back(HookArgument(remote));
+		args.push_back(HookArgument(&info));
+		args.push_back(HookArgument(num_fields));
+		args.push_back(HookArgument(std::make_pair(num_fields, fields)));
+		MetaHookPre(HOOK_LOG_INIT, args);
+		}
+
+	hook_list* l = hooks[HOOK_LOG_INIT];
+
+	if ( l )
+		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
+			{
+			Plugin* p = (*i).second;
+			p->HookLogInit(writer, instantiating_filter, local, remote, info,
+			               num_fields, fields);
+			}
+
+	if ( HavePluginForHook(META_HOOK_POST) )
+		MetaHookPost(HOOK_LOG_INIT, args, HookArgument());
+	}
+
+bool Manager::HookLogWrite(const std::string& writer,
+                           const std::string& filter,
+                           const logging::WriterBackend::WriterInfo& info,
+                           int num_fields,
+                           const threading::Field* const* fields,
+                           threading::Value** vals) const
+	{
+	HookArgumentList args;
+
+	if ( HavePluginForHook(META_HOOK_PRE) )
+		{
+		args.push_back(HookArgument(writer));
+		args.push_back(HookArgument(filter));
+		args.push_back(HookArgument(&info));
+		args.push_back(HookArgument(num_fields));
+		args.push_back(HookArgument(std::make_pair(num_fields, fields)));
+		args.push_back(HookArgument(vals));
+		MetaHookPre(HOOK_LOG_WRITE, args);
+		}
+
+	hook_list* l = hooks[HOOK_LOG_WRITE];
+
+	bool result = true;
+
+	if ( l )
+		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
+			{
+			Plugin* p = (*i).second;
+
+			if ( ! p->HookLogWrite(writer, filter, info, num_fields, fields,
+			                       vals) )
+				{
+				result = false;
+				break;
+				}
+			}
+
+	if ( HavePluginForHook(META_HOOK_POST) )
+		MetaHookPost(HOOK_LOG_WRITE, args, HookArgument(result));
+
+	return result;
+	}
+
 void Manager::MetaHookPre(HookType hook, const HookArgumentList& args) const
 	{
 	hook_list* l = hooks[HOOK_CALL_FUNCTION];
diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h
index 2a394b39ee..9ece86bfed 100644
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@@ -291,6 +291,70 @@ public:
 	 */
 	void HookBroObjDtor(void* obj) const;
 
+	/**
+	 * Hook into log initialization. This method will be called when a
+	 * logging writer is created. A writer represents a single logging
+	 * filter. The method is called in the main thread, on the node that
+	 * causes a log line to be written. It will _not_ be called on the logger
+	 * node. The function will be called once for every instantiated writer.
+	 *
+	 * @param writer The name of the writer being instantiated.
+	 *
+	 * @param instantiating_filter Name of the filter causing the
+	 *        writer instantiation.
+	 *
+	 * @param local True if the filter is logging locally (writer
+	 *              thread will be located in same process).
+	 *
+	 * @param remote True if filter is logging remotely (writer thread
+	 *               will be located in different thread, typically
+	 *               in manager or logger node).
+	 *
+	 * @param info WriterBackend::WriterInfo with information about the writer.
+	 *
+	 * @param num_fields number of fields in the record being written.
+	 *
+	 * @param fields threading::Field description of the fields being logged.
+	 */
+	void HookLogInit(const std::string& writer,
+	                 const std::string& instantiating_filter,
+	                 bool local, bool remote,
+	                 const logging::WriterBackend::WriterInfo& info,
+	                 int num_fields,
+	                 const threading::Field* const* fields) const;
+
+	/**
+	 * Hook into log writing. This method will be called for each log line
+	 * being written by each writer. Each writer represents a single logging
+	 * filter. The method is called in the main thread, on the node that
+	 * causes a log line to be written. It will _not_ be called on the logger
+	 * node.
+	 * This function allows plugins to modify or skip logging of information.
+	 * Note - once a log line is skipped (by returning false), it will not
+	 * passed on to hooks that have not yet been called.
+	 *
+	 * @param writer The name of the writer.
+	 *
+	 * @param filter Name of the filter being written to.
+	 *
+	 * @param info WriterBackend::WriterInfo with information about the writer.
+	 *
+	 * @param num_fields number of fields in the record being written.
+	 *
+	 * @param fields threading::Field description of the fields being logged.
+	 *
+	 * @param vals threading::Values containing the values being written. Values
+	 *             can be modified in the Hook.
+	 *
+	 * @return true if log line should be written, false if log line should be
+	 *         skipped and not passed on to the writer.
+	 */
+	bool HookLogWrite(const std::string& writer,
+	                  const std::string& filter,
+	                  const logging::WriterBackend::WriterInfo& info,
+	                  int num_fields, const threading::Field* const* fields,
+	                  threading::Value** vals) const;
+
 	/**
 	 * Internal method that registers a freshly instantiated plugin with
 	 * the manager.
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index b0eb19a628..f54749f837 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -10,6 +10,8 @@
 
 #include "../Desc.h"
 #include "../Event.h"
+#include "../Conn.h"
+#include "threading/SerialTypes.h"
 
 using namespace plugin;
 
@@ -24,6 +26,8 @@ const char* plugin::hook_name(HookType h)
 		"UpdateNetworkTime",
 		"BroObjDtor",
 		"SetupAnalyzerTree",
+		"LogInit",
+		"LogWrite",
 		// MetaHooks
 		"MetaHookPre",
 		"MetaHookPost",
@@ -84,6 +88,11 @@ void HookArgument::Describe(ODesc* d) const
 			d->Add("<null>");
 		break;
 
+	case CONN:
+		if ( arg.conn )
+			arg.conn->Describe(d);
+		break;
+
 	case FUNC_RESULT:
 		if ( func_result.first )
 			{
@@ -145,6 +154,60 @@ void HookArgument::Describe(ODesc* d) const
 	case VOIDP:
 		d->Add("<void ptr>");
 		break;
+
+	case WRITER_INFO:
+		{
+		d->Add(arg.winfo->path);
+		d->Add("(");
+		d->Add(arg.winfo->network_time);
+		d->Add(",");
+		d->Add(arg.winfo->rotation_interval);
+		d->Add(",");
+		d->Add(arg.winfo->rotation_base);
+
+		if ( arg.winfo->config.size() > 0 )
+			{
+			bool first = true;
+			d->Add("config: {");
+
+			for ( auto& v: arg.winfo->config )
+				{
+				if ( ! first )
+					d->Add(", ");
+
+				d->Add(v.first);
+				d->Add(": ");
+				d->Add(v.second);
+				first = false;
+				}
+
+			d->Add("}");
+			}
+
+		d->Add(")");
+		}
+		break;
+
+	case THREAD_FIELDS:
+		{
+		d->Add("{");
+
+		for ( int i=0; i < tfields.first; i++ )
+			{
+			const threading::Field* f = tfields.second[i];
+
+			if ( i > 0 )
+				d->Add(", ");
+
+			d->Add(f->name);
+			d->Add(" (");
+			d->Add(f->TypeName());
+			d->Add(")");
+			}
+
+		d->Add("}");
+		}
+		break;
 	}
 	}
 
@@ -179,11 +242,6 @@ VersionNumber Plugin::Version() const
 	return config.version;
 	}
 
-int Plugin::APIVersion() const
-	{
-	return config.api_version;
-	}
-
 bool Plugin::DynamicPlugin() const
 	{
 	return dynamic;
@@ -319,6 +377,22 @@ void Plugin::HookBroObjDtor(void* obj)
 	{
 	}
 
+void Plugin::HookLogInit(const std::string& writer,
+                         const std::string& instantiating_filter,
+                         bool local, bool remote,
+                         const logging::WriterBackend::WriterInfo& info,
+                         int num_fields, const threading::Field* const* fields)
+	{
+	}
+
+bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter,
+                          const logging::WriterBackend::WriterInfo& info,
+                          int num_fields, const threading::Field* const* fields,
+                          threading::Value** vals)
+	{
+	return true;
+	}
+
 void Plugin::MetaHookPre(HookType hook, const HookArgumentList& args)
 	{
 	}
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index 54451dcfb6..c3f231bb93 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -11,16 +11,22 @@
 #include "analyzer/Component.h"
 #include "file_analysis/Component.h"
 #include "iosource/Component.h"
+#include "logging/WriterBackend.h"
 
-// We allow to override this externally for testing purposes.
-#ifndef BRO_PLUGIN_API_VERSION
-#define BRO_PLUGIN_API_VERSION 4
-#endif
+// Increase this when making incompatible changes to the plugin API. Note
+// that the constant is never used in C code. It's picked up on by CMake.
+#define BRO_PLUGIN_API_VERSION 6
+
+#define BRO_PLUGIN_BRO_VERSION BRO_VERSION_FUNCTION
 
 class ODesc;
 class Func;
 class Event;
 
+namespace threading {
+struct Field;
+}
+
 namespace plugin  {
 
 class Manager;
@@ -40,6 +46,8 @@ enum HookType {
 	HOOK_UPDATE_NETWORK_TIME,	//< Activates Plugin::HookUpdateNetworkTime.
 	HOOK_BRO_OBJ_DTOR,		//< Activates Plugin::HookBroObjDtor.
 	HOOK_SETUP_ANALYZER_TREE,	//< Activates Plugin::HookAddToAnalyzerTree
+	HOOK_LOG_INIT,			//< Activates Plugin::HookLogInit
+	HOOK_LOG_WRITE,			//< Activates Plugin::HookLogWrite
 
 	// Meta hooks.
 	META_HOOK_PRE,			//< Activates Plugin::MetaHookPre().
@@ -86,16 +94,21 @@ public:
 	// strong hint.). The attribute seems generally available.
 	inline Configuration() __attribute__((always_inline));
 
+        /**
+         * One can assign BRO_PLUGIN_BRO_VERSION to this to catch
+         * version mismatches at link(!) time.
+         */
+	const char* (*bro_version)();
+
 private:
 	friend class Plugin;
-	int api_version;	// Current BRO_PLUGIN_API_VERSION. Automatically set.
 };
 
 inline Configuration::Configuration()
 		{
 		name = "";
 		description = "";
-		api_version = BRO_PLUGIN_API_VERSION;
+		bro_version = BRO_PLUGIN_BRO_VERSION;
 		}
 
 /**
@@ -158,7 +171,8 @@ public:
 	 * Type of the argument.
 	 */
 	enum Type {
-		BOOL, DOUBLE, EVENT, FRAME, FUNC, FUNC_RESULT, INT, STRING, VAL, VAL_LIST, VOID, VOIDP
+		BOOL, DOUBLE, EVENT, FRAME, FUNC, FUNC_RESULT, INT, STRING, VAL,
+		VAL_LIST, VOID, VOIDP, WRITER_INFO, CONN, THREAD_FIELDS
 	};
 
 	/**
@@ -169,57 +183,72 @@ public:
 	/**
 	 * Constructor with a boolean argument.
 	 */
-	HookArgument(bool a)	{ type = BOOL; arg.bool_ = a; }
+	explicit HookArgument(bool a)	{ type = BOOL; arg.bool_ = a; }
 
 	/**
 	 * Constructor with a double argument.
 	 */
-	HookArgument(double a)	{ type = DOUBLE; arg.double_ = a; }
+	explicit HookArgument(double a)	{ type = DOUBLE; arg.double_ = a; }
 
 	/**
 	 * Constructor with an event argument.
 	 */
-	HookArgument(const Event* a)	{ type = EVENT; arg.event = a; }
+	explicit HookArgument(const Event* a)	{ type = EVENT; arg.event = a; }
+
+	/**
+	 * Constructor with an connection argument.
+	 */
+	explicit HookArgument(const Connection* c)	{ type = CONN; arg.conn = c; }
 
 	/**
 	 * Constructor with a function argument.
 	 */
-	HookArgument(const Func* a)	{ type = FUNC; arg.func = a; }
+	explicit HookArgument(const Func* a)	{ type = FUNC; arg.func = a; }
 
 	/**
 	 * Constructor with an integer  argument.
 	 */
-	HookArgument(int a)	{ type = INT; arg.int_ = a; }
+	explicit HookArgument(int a)	{ type = INT; arg.int_ = a; }
 
 	/**
 	 * Constructor with a string argument.
 	 */
-	HookArgument(const std::string& a)	{ type = STRING; arg_string = a; }
+	explicit HookArgument(const std::string& a)	{ type = STRING; arg_string = a; }
 
 	/**
 	 * Constructor with a Bro value argument.
 	 */
-	HookArgument(const Val* a)	{ type = VAL; arg.val = a; }
+	explicit HookArgument(const Val* a)	{ type = VAL; arg.val = a; }
 
 	/**
 	 * Constructor with a list of Bro values argument.
 	 */
-	HookArgument(const val_list* a)	{ type = VAL_LIST; arg.vals = a; }
+	explicit HookArgument(const val_list* a)	{ type = VAL_LIST; arg.vals = a; }
 
 	/**
 	 * Constructor with a void pointer argument.
 	 */
-	HookArgument(void* p)	{ type = VOIDP; arg.voidp = p; }
+	explicit HookArgument(void* p)	{ type = VOIDP; arg.voidp = p; }
 
 	/**
 	 * Constructor with a function result argument.
 	 */
-	HookArgument(std::pair<bool, Val*> fresult)	{ type = FUNC_RESULT; func_result = fresult; }
+	explicit HookArgument(std::pair<bool, Val*> fresult)	{ type = FUNC_RESULT; func_result = fresult; }
 
 	/**
 	 * Constructor with a Frame argument.
 	 */
-	HookArgument(Frame* f)	{ type = FRAME; arg.frame = f; }
+	explicit HookArgument(Frame* f)	{ type = FRAME; arg.frame = f; }
+
+	/**
+	 * Constructor with a WriterInfo argument.
+	 */
+	explicit HookArgument(const logging::WriterBackend::WriterInfo* i)	{ type = WRITER_INFO; arg.winfo = i; }
+
+	/**
+	 * Constructor with a threading field argument.
+	 */
+	explicit HookArgument(const std::pair<int, const threading::Field* const*> fpair)	{ type = THREAD_FIELDS; tfields = fpair; }
 
 	/**
 	 * Returns the value for a boolen argument. The argument's type must
@@ -239,6 +268,12 @@ public:
 	 */
 	const Event* AsEvent() const	{ assert(type == EVENT); return arg.event; }
 
+	/**
+	 * Returns the value for an connection argument. The argument's type must
+	 * match accordingly.
+	 */
+	const Connection* AsConnection() const	{ assert(type == CONN); return arg.conn; }
+
 	/**
 	 * Returns the value for a function argument. The argument's type must
 	 * match accordingly.
@@ -275,6 +310,18 @@ public:
 	 */
 	const Frame* AsFrame() const { assert(type == FRAME); return arg.frame; }
 
+	/**
+	 * Returns the value for a logging WriterInfo argument.  The argument's type must
+	 * match accordingly.
+	 */
+	const logging::WriterBackend::WriterInfo* AsWriterInfo() const { assert(type == WRITER_INFO); return arg.winfo; }
+
+	/**
+	 * Returns the value for a threading fields argument.  The argument's type must
+	 * match accordingly.
+	 */
+	const std::pair<int, const threading::Field* const*> AsThreadFields() const { assert(type == THREAD_FIELDS); return tfields; }
+
 	/**
 	 * Returns the value for a list of Bro values argument. The argument's type must
 	 * match accordingly.
@@ -305,16 +352,19 @@ private:
 		bool bool_;
 		double double_;
 		const Event* event;
+		const Connection* conn;
 		const Func* func;
 		const Frame* frame;
 		int int_;
 		const Val* val;
 		const val_list* vals;
 		const void* voidp;
+		const logging::WriterBackend::WriterInfo* winfo;
 	} arg;
 
 	// Outside union because these have dtors.
 	std::pair<bool, Val*> func_result;
+	std::pair<int, const threading::Field* const*> tfields;
 	std::string arg_string;
 };
 
@@ -398,15 +448,6 @@ public:
 	 **/
 	const std::string& PluginPath() const;
 
-	/**
-	 * Returns the internal version of the Bro API that this plugin
-	 * relies on. Only plugins that match Bro's current API version can
-	 * be used. For statically compiled plugins this is automatically the
-	 * case, but dynamically loaded plugins may cause a mismatch if they
-	 * were compiled for a different Bro version.
-	 */
-	int APIVersion() const;
-
 	/**
 	 * Returns a list of all components the plugin provides.
 	 */
@@ -642,6 +683,13 @@ protected:
 	 */
 	virtual void HookUpdateNetworkTime(double network_time);
 
+	/**
+	 * Hook that executes when a connection's initial analyzer tree
+	 * has been fully set up. The hook can manipulate the tree at this time,
+	 * for example by adding further analyzers.
+	 *
+	 * @param conn The connection.
+	 */
 	virtual void HookSetupAnalyzerTree(Connection *conn);
 
 	/**
@@ -656,6 +704,71 @@ protected:
 	 */
 	virtual void HookBroObjDtor(void* obj);
 
+	/**
+	 * Hook into log initialization. This method will be called when a
+	 * logging writer is created. A writer represents a single logging
+	 * filter. The method is called in the main thread, on the node that
+	 * causes a log line to be written. It will _not_ be called on the logger
+	 * node. The function will be called each for every instantiated writer.
+	 *
+	 * @param writer The name of the writer being insantiated.
+	 *
+	 * @param instantiating_filter Name of the filter causing the
+	 *        writer instantiation.
+	 *
+	 * @param local True if the filter is logging locally (writer
+	 *              thread will be located in same process).
+	 *
+	 * @param remote True if filter is logging remotely (writer thread
+	 *               will be located in different thread, typically
+	 *               in manager or logger node).
+	 *
+	 * @param info WriterBackend::WriterInfo with information about the writer.
+	 *
+	 * @param num_fields number of fields in the record being written.
+	 *
+	 * @param fields threading::Field description of the fields being logged.
+	 */
+	virtual void HookLogInit(const std::string& writer,
+	                         const std::string& instantiating_filter,
+	                         bool local, bool remote,
+	                         const logging::WriterBackend::WriterInfo& info,
+	                         int num_fields,
+	                         const threading::Field* const* fields);
+
+	/**
+	 * Hook into log writing. This method will be called for each log line
+	 * being written by each writer. Each writer represents a single logging
+	 * filter. The method is called in the main thread, on the node that
+	 * causes a log line to be written. It will _not_ be called on the logger
+	 * node.
+	 * This function allows plugins to modify or skip logging of information.
+	 * Note - once a log line is skipped (by returning false), it will not
+	 * passed on to hooks that have not yet been called.
+	 *
+	 * @param writer The name of the writer.
+	 *
+	 * @param filter Name of the filter being written to.
+	 *
+	 * @param info WriterBackend::WriterInfo with information about the writer.
+	 *
+	 * @param num_fields number of fields in the record being written.
+	 *
+	 * @param fields threading::Field description of the fields being logged.
+	 *
+	 * @param vals threading::Values containing the values being written. Values
+	 *             can be modified in the Hook.
+	 *
+	 * @return true if log line should be written, false if log line should be
+	 *         skipped and not passed on to the writer.
+	 */
+	virtual bool HookLogWrite(const std::string& writer,
+	                          const std::string& filter,
+	                          const logging::WriterBackend::WriterInfo& info,
+	                          int num_fields,
+	                          const threading::Field* const* fields,
+	                          threading::Value** vals);
+
 	// Meta hooks.
 
 	/**
diff --git a/src/rule-parse.y b/src/rule-parse.y
index 32ada02cb3..3e9c8d7ddf 100644
--- a/src/rule-parse.y
+++ b/src/rule-parse.y
@@ -14,7 +14,7 @@ extern void end_PS();
 Rule* current_rule = 0;
 const char* current_rule_file = 0;
 
-static uint8_t mask_to_len(uint32_t mask)
+static uint8_t ip4_mask_to_len(uint32_t mask)
 	{
 	if ( mask == 0xffffffff )
 	    return 32;
@@ -23,7 +23,7 @@ static uint8_t mask_to_len(uint32_t mask)
 	uint8_t len;
 	for ( len = 0; len < 32 && (! (x & (1 << len))); ++len );
 
-	return len;
+	return 32 - len;
 	}
 %}
 
@@ -315,7 +315,7 @@ prefix_value:
 		TOK_IP
 			{
 			$$ = new IPPrefix(IPAddr(IPv4, &($1.val), IPAddr::Host),
-			                  mask_to_len($1.mask));
+			                  ip4_mask_to_len($1.mask));
 			}
 	|	TOK_IP6
 	;
diff --git a/src/threading/BasicThread.cc b/src/threading/BasicThread.cc
index 86d7d7b560..d63b307470 100644
--- a/src/threading/BasicThread.cc
+++ b/src/threading/BasicThread.cc
@@ -5,6 +5,7 @@
 #include "bro-config.h"
 #include "BasicThread.h"
 #include "Manager.h"
+#include "pthread.h"
 
 #ifdef HAVE_LINUX
 #include <sys/prctl.h>
@@ -21,7 +22,6 @@ BasicThread::BasicThread()
 	started = false;
 	terminating = false;
 	killed = false;
-	pthread = 0;
 
 	buf_len = STD_FMT_BUF_LEN;
 	buf = (char*) safe_malloc(buf_len);
@@ -50,6 +50,7 @@ void BasicThread::SetName(const char* arg_name)
 
 void BasicThread::SetOSName(const char* arg_name)
 	{
+	static_assert(std::is_same<std::thread::native_handle_type, pthread_t>::value, "libstdc++ doesn't use pthread_t");
 
 #ifdef HAVE_LINUX
 	prctl(PR_SET_NAME, arg_name, 0, 0, 0);
@@ -60,7 +61,7 @@ void BasicThread::SetOSName(const char* arg_name)
 #endif
 
 #ifdef FREEBSD
-	pthread_set_name_np(pthread_self(), arg_name, arg_name);
+	pthread_set_name_np(thread.native_handle(), arg_name, arg_name);
 #endif
 	}
 
@@ -108,9 +109,7 @@ void BasicThread::Start()
 
 	started = true;
 
-	int err = pthread_create(&pthread, 0, BasicThread::launcher, this);
-	if ( err != 0 )
-		reporter->FatalError("Cannot create thread %s: %s", name, Strerror(err));
+	thread = std::thread(&BasicThread::launcher, this);
 
 	DBG_LOG(DBG_THREADING, "Started thread %s", name);
 
@@ -147,17 +146,21 @@ void BasicThread::Join()
 	if ( ! started )
 		return;
 
-	if ( ! pthread )
+	if ( ! thread.joinable() )
 		return;
 
 	assert(terminating);
 
-	if ( pthread_join(pthread, 0) != 0  )
-		reporter->FatalError("Failure joining thread %s", name);
+	try
+		{
+		thread.join();
+		}
+	catch ( const std::system_error& e )
+		{
+		reporter->FatalError("Failure joining thread %s with error %s", name, e.what());
+		}
 
 	DBG_LOG(DBG_THREADING, "Joined with thread %s", name);
-
-	pthread = 0;
 	}
 
 void BasicThread::Kill()
@@ -180,6 +183,7 @@ void BasicThread::Done()
 
 void* BasicThread::launcher(void *arg)
 	{
+	static_assert(std::is_same<std::thread::native_handle_type, pthread_t>::value, "libstdc++ doesn't use pthread_t");
 	BasicThread* thread = (BasicThread *)arg;
 
 	// Block signals in thread. We handle signals only in the main
diff --git a/src/threading/BasicThread.h b/src/threading/BasicThread.h
index 6386e5ae66..ea829fce54 100644
--- a/src/threading/BasicThread.h
+++ b/src/threading/BasicThread.h
@@ -2,8 +2,7 @@
 #ifndef THREADING_BASICTHREAD_H
 #define THREADING_BASICTHREAD_H
 
-#include <pthread.h>
-#include <semaphore.h>
+#include <thread>
 
 #include "util.h"
 
@@ -35,6 +34,9 @@ public:
 	 */
 	BasicThread();
 
+	BasicThread(BasicThread const&) = delete;
+	BasicThread& operator =(BasicThread const&) = delete;
+
 	/**
 	 * Returns a descriptive name for the thread. If not set via
 	 * SetName(). If not set, a default name is choosen automatically.
@@ -192,11 +194,11 @@ protected:
 	void Done();
 
 private:
-	// pthread entry function.
+	// thread entry function.
 	static void* launcher(void *arg);
 
 	const char* name;
-	pthread_t pthread;
+	std::thread thread;
 	bool started; 		// Set to to true once running.
 	bool terminating;	// Set to to true to signal termination.
 	bool killed;	// Set to true once forcefully killed.
diff --git a/src/threading/Formatter.cc b/src/threading/Formatter.cc
index 3f366de90a..b881962732 100644
--- a/src/threading/Formatter.cc
+++ b/src/threading/Formatter.cc
@@ -22,7 +22,7 @@ Formatter::~Formatter()
 	{
 	}
 
-string Formatter::Render(const threading::Value::addr_t& addr) const
+string Formatter::Render(const threading::Value::addr_t& addr)
 	{
 	if ( addr.family == IPv4 )
 		{
@@ -90,7 +90,7 @@ threading::Value::addr_t Formatter::ParseAddr(const string &s) const
 	return val;
 	}
 
-string Formatter::Render(const threading::Value::subnet_t& subnet) const
+string Formatter::Render(const threading::Value::subnet_t& subnet)
 	{
 	char l[16];
 
@@ -104,7 +104,7 @@ string Formatter::Render(const threading::Value::subnet_t& subnet) const
 	return s;
 	}
 
-string Formatter::Render(double d) const
+string Formatter::Render(double d)
 	{
 	char buf[256];
 	modp_dtoa(d, buf, 6);
diff --git a/src/threading/Formatter.h b/src/threading/Formatter.h
index c8337959bf..c564f3c945 100644
--- a/src/threading/Formatter.h
+++ b/src/threading/Formatter.h
@@ -87,7 +87,7 @@ public:
 	 *
 	 * @return An ASCII representation of the address.
 	 */
-	string Render(const threading::Value::addr_t& addr) const;
+	static string Render(const threading::Value::addr_t& addr);
 
 	/**
 	 * Convert an subnet value into a string.
@@ -98,7 +98,7 @@ public:
 	 *
 	 * @return An ASCII representation of the subnet.
 	 */
-	string Render(const threading::Value::subnet_t& subnet) const;
+	static string Render(const threading::Value::subnet_t& subnet);
 
 	/**
 	 * Convert a double into a string. This renders the double with Bro's
@@ -110,7 +110,7 @@ public:
 	 *
 	 * @return An ASCII representation of the double.
 	 */
-	string Render(double d) const;
+	static string Render(double d);
 
 	/**
 	 * Convert a string into a TransportProto. The string must be one of
diff --git a/src/threading/MsgThread.h b/src/threading/MsgThread.h
index 96da68e1d0..480ab2974c 100644
--- a/src/threading/MsgThread.h
+++ b/src/threading/MsgThread.h
@@ -2,8 +2,6 @@
 #ifndef THREADING_MSGTHREAD_H
 #define THREADING_MSGTHREAD_H
 
-#include <pthread.h>
-
 #include "DebugLogger.h"
 
 #include "BasicThread.h"
diff --git a/src/threading/Queue.h b/src/threading/Queue.h
index 6d21bfd998..9ac9268a7a 100644
--- a/src/threading/Queue.h
+++ b/src/threading/Queue.h
@@ -1,7 +1,8 @@
 #ifndef THREADING_QUEUE_H
 #define THREADING_QUEUE_H
 
-#include <pthread.h>
+#include <mutex>
+#include <condition_variable>
 #include <queue>
 #include <deque>
 #include <stdint.h>
@@ -22,7 +23,7 @@ namespace threading {
  *
  * All Queue instances must be instantiated by Bro's main thread.
  *
- * TODO: Unclear how critical performance is for this qeueue. We could like;y
+ * TODO: Unclear how critical performance is for this qeueue. We could likely
  * optimize it further if helpful.
  */
 template<typename T>
@@ -71,9 +72,10 @@ public:
 	 */
 	bool MaybeReady() { return (num_reads != num_writes); }
 
-	/** Wake up the reader if it's currently blocked for input. This is
-	 primarily to give it a chance to check termination quickly.
-	**/
+	/**
+	 * Wake up the reader if it's currently blocked for input. This is
+	 * primarily to give it a chance to check termination quickly.
+	 */
 	void WakeUp();
 
 	/**
@@ -94,14 +96,17 @@ public:
 	 * Returns statistics about the queue's usage.
 	 *
 	 * @param stats A pointer to a structure that will be filled with
-	 * current numbers. */
+	 * current numbers.
+	 */
 	void GetStats(Stats* stats);
 
 private:
 	static const int NUM_QUEUES = 8;
 
-	pthread_mutex_t mutex[NUM_QUEUES];	// Mutex protected shared accesses.
-	pthread_cond_t has_data[NUM_QUEUES];	// Signals when data becomes available
+	std::vector<std::unique_lock<std::mutex>> LocksForAllQueues();
+
+	std::mutex mutex[NUM_QUEUES];	// Mutex protected shared accesses.
+	std::condition_variable has_data[NUM_QUEUES];	// Signals when data becomes available
 	std::queue<T> messages[NUM_QUEUES];	// Actually holds the queued messages
 
 	int read_ptr;	// Where the next operation will read from
@@ -115,17 +120,18 @@ private:
 	uint64_t num_writes;
 };
 
-inline static void safe_lock(pthread_mutex_t* mutex)
+inline static std::unique_lock<std::mutex> acquire_lock(std::mutex& m)
 	{
-	int res = pthread_mutex_lock(mutex);
-	if ( res != 0 )
-		reporter->FatalErrorWithCore("cannot lock mutex: %d(%s)", res, strerror(res));
-	}
-
-inline static void safe_unlock(pthread_mutex_t* mutex)
-	{
-	if ( pthread_mutex_unlock(mutex) != 0 )
-		reporter->FatalErrorWithCore("cannot unlock mutex");
+	try
+		{
+		return std::unique_lock<std::mutex>(m);
+		}
+	catch ( const std::system_error& e )
+		{
+		reporter->FatalErrorWithCore("cannot lock mutex: %s", e.what());
+		// Never gets here.
+		throw std::exception();
+		}
 	}
 
 template<typename T>
@@ -136,50 +142,28 @@ inline Queue<T>::Queue(BasicThread* arg_reader, BasicThread* arg_writer)
 	num_reads = num_writes = 0;
 	reader = arg_reader;
 	writer = arg_writer;
-
-	for( int i = 0; i < NUM_QUEUES; ++i )
-		{
-		if ( pthread_cond_init(&has_data[i], 0) != 0 )
-			reporter->FatalError("cannot init queue condition variable");
-
-		if ( pthread_mutex_init(&mutex[i], 0) != 0 )
-			reporter->FatalError("cannot init queue mutex");
-		}
 	}
 
 template<typename T>
 inline Queue<T>::~Queue()
 	{
-	for( int i = 0; i < NUM_QUEUES; ++i )
-		{
-		pthread_cond_destroy(&has_data[i]);
-		pthread_mutex_destroy(&mutex[i]);
-		}
 	}
 
 template<typename T>
 inline T Queue<T>::Get()
 	{
-	safe_lock(&mutex[read_ptr]);
+	auto lock = acquire_lock(mutex[read_ptr]);
 
 	int old_read_ptr = read_ptr;
 
 	if ( messages[read_ptr].empty() && ! ((reader && reader->Killed()) || (writer && writer->Killed())) )
 		{
-		struct timespec ts;
-		ts.tv_sec = time(0) + 5;
-		ts.tv_nsec = 0;
-
-		pthread_cond_timedwait(&has_data[read_ptr], &mutex[read_ptr], &ts);
-		safe_unlock(&mutex[read_ptr]);
-		return 0;
+		if ( has_data[read_ptr].wait_for(lock, std::chrono::seconds(5)) == std::cv_status::timeout )
+			return nullptr;
 		}
 
-	else if ( messages[read_ptr].empty() )
-		{
-		safe_unlock(&mutex[read_ptr]);
-		return 0;
-		}
+	if ( messages[read_ptr].empty() )
+		return nullptr;
 
 	T data = messages[read_ptr].front();
 	messages[read_ptr].pop();
@@ -187,15 +171,13 @@ inline T Queue<T>::Get()
 	read_ptr = (read_ptr + 1) % NUM_QUEUES;
 	++num_reads;
 
-	safe_unlock(&mutex[old_read_ptr]);
-
 	return data;
 	}
 
 template<typename T>
 inline void Queue<T>::Put(T data)
 	{
-	safe_lock(&mutex[write_ptr]);
+	auto lock = acquire_lock(mutex[write_ptr]);
 
 	int old_write_ptr = write_ptr;
 
@@ -203,43 +185,59 @@ inline void Queue<T>::Put(T data)
 
 	messages[write_ptr].push(data);
 
-	if ( need_signal )
-		pthread_cond_signal(&has_data[write_ptr]);
-
 	write_ptr = (write_ptr + 1) % NUM_QUEUES;
 	++num_writes;
 
-	safe_unlock(&mutex[old_write_ptr]);
+	if ( need_signal )
+		{
+		lock.unlock();
+		has_data[old_write_ptr].notify_one();
+		}
 	}
 
 
 template<typename T>
 inline bool Queue<T>::Ready()
 	{
-	safe_lock(&mutex[read_ptr]);
+	auto lock = acquire_lock(mutex[read_ptr]);
 
 	bool ret = (messages[read_ptr].size());
 
-	safe_unlock(&mutex[read_ptr]);
-
 	return ret;
 	}
 
+template<typename T>
+inline std::vector<std::unique_lock<std::mutex>> Queue<T>::LocksForAllQueues()
+	{
+	std::vector<std::unique_lock<std::mutex>> locks;
+
+	try
+		{
+		for ( int i = 0; i < NUM_QUEUES; i++ )
+			locks.emplace_back(std::unique_lock<std::mutex>(mutex[i]));
+		}
+
+	catch ( const std::system_error& e )
+		{
+		reporter->FatalErrorWithCore("cannot lock all mutexes: %s", e.what());
+		// Never gets here.
+		throw std::exception();
+		}
+
+	return locks;
+	}
+
 template<typename T>
 inline uint64_t Queue<T>::Size()
 	{
 	// Need to lock all queues.
-	for ( int i = 0; i < NUM_QUEUES; i++ )
-		safe_lock(&mutex[i]);
+	auto locks = LocksForAllQueues();
 
 	uint64_t size = 0;
 
 	for ( int i = 0; i < NUM_QUEUES; i++ )
 		size += messages[i].size();
 
-	for ( int i = 0; i < NUM_QUEUES; i++ )
-		safe_unlock(&mutex[i]);
-
 	return size;
 	}
 
@@ -248,29 +246,19 @@ inline void Queue<T>::GetStats(Stats* stats)
 	{
 	// To be safe, we look all queues. That's probably unneccessary, but
 	// doesn't really hurt.
-	for ( int i = 0; i < NUM_QUEUES; i++ )
-		safe_lock(&mutex[i]);
+	auto locks = LocksForAllQueues();
 
 	stats->num_reads = num_reads;
 	stats->num_writes = num_writes;
-
-	for ( int i = 0; i < NUM_QUEUES; i++ )
-		safe_unlock(&mutex[i]);
 	}
 
 template<typename T>
 inline void Queue<T>::WakeUp()
 	{
 	for ( int i = 0; i < NUM_QUEUES; i++ )
-		{
-		safe_lock(&mutex[i]);
-		pthread_cond_signal(&has_data[i]);
-		safe_unlock(&mutex[i]);
-		}
+		has_data[i].notify_all();
 	}
 
 }
 
-
 #endif
-
diff --git a/src/threading/SerialTypes.h b/src/threading/SerialTypes.h
index e056f6c170..af3f92d416 100644
--- a/src/threading/SerialTypes.h
+++ b/src/threading/SerialTypes.h
@@ -98,7 +98,7 @@ struct Value {
 	typedef set_t vec_t;
 	struct port_t { bro_uint_t port; TransportProto proto; };
 
-        struct addr_t {
+	struct addr_t {
 		IPFamily family;
 		union {
 			struct in_addr in4;
@@ -106,6 +106,13 @@ struct Value {
 		} in;
 	};
 
+	// A small note for handling subnet values: Subnet values emitted from
+	// the logging framework will always have a length that is based on the
+	// internal IPv6 representation (so you have to substract 96 from it to
+	// get the correct value for IPv4).
+	// However, the Input framework expects the "normal" length for an IPv4
+	// address (so do not add 96 to it), because the underlying constructors
+	// for the SubNet type want it like this.
 	struct subnet_t { addr_t prefix; uint8_t length; };
 
 	/**
diff --git a/src/types.bif b/src/types.bif
index 500c8c9851..20995ef105 100644
--- a/src/types.bif
+++ b/src/types.bif
@@ -30,7 +30,7 @@ enum proc_t %{	# NFSv3 procedures
 	PROC_MKNOD    = 11,	# not implemented
 	PROC_REMOVE   = 12,	# done
 	PROC_RMDIR    = 13,	# done
-	PROC_RENAME   = 14,	# not implemented
+	PROC_RENAME   = 14,	# done
 	PROC_LINK     = 15,	# not implemented
 	PROC_READDIR  = 16,	# done
 	PROC_READDIRPLUS  = 17,	# done
@@ -101,6 +101,7 @@ enum createmode_t %{
 type info_t: record;
 type fattr_t: record;
 type diropargs_t: record;
+type renameopargs_t: record;
 type lookup_reply_t: record;
 type readargs_t: record;
 type read_reply_t: record;
@@ -110,6 +111,7 @@ type wcc_attr_t: record;
 type write_reply_t: record;
 type newobj_reply_t: record;
 type delobj_reply_t: record;
+type renameobj_reply_t: record;
 type readdirargs_t: record;
 type direntry_t: record;
 type direntry_vec_t: vector;
diff --git a/src/version.c.in b/src/version.c.in
index 86c4b16f24..65df65da00 100644
--- a/src/version.c.in
+++ b/src/version.c.in
@@ -1 +1,13 @@
+
+#include "bro-config.h"
+
 char version[] = "@VERSION@";
+
+// A C function that has the current version built into its name.
+// One can link a shared library against this to ensure that it won't
+// load if the version of the main Bro binary differs compared to
+// what the library was compiled against.
+const char* BRO_VERSION_FUNCTION()
+{
+    return "@VERSION_C_IDENT@";
+}
diff --git a/testing/btest/Baseline/bifs.directory_operations/out b/testing/btest/Baseline/bifs.directory_operations/out
new file mode 100644
index 0000000000..8465596a92
--- /dev/null
+++ b/testing/btest/Baseline/bifs.directory_operations/out
@@ -0,0 +1,10 @@
+T
+T
+T
+T
+T
+T
+F
+F
+F
+F
diff --git a/testing/btest/Baseline/broker.remote_log/recv.recv.out b/testing/btest/Baseline/broker.remote_log/recv.recv.out
index 2f4a31df51..e69de29bb2 100644
--- a/testing/btest/Baseline/broker.remote_log/recv.recv.out
+++ b/testing/btest/Baseline/broker.remote_log/recv.recv.out
@@ -1,6 +0,0 @@
-wrote log, [msg=ping, nolog=no, num=0]
-wrote log, [msg=ping, nolog=no, num=1]
-wrote log, [msg=ping, nolog=no, num=2]
-wrote log, [msg=ping, nolog=no, num=3]
-wrote log, [msg=ping, nolog=no, num=4]
-wrote log, [msg=ping, nolog=no, num=5]
diff --git a/testing/btest/Baseline/broker.remote_log/recv.test.log b/testing/btest/Baseline/broker.remote_log/recv.test.log
index 0d6dae756c..b79e1b53b9 100644
--- a/testing/btest/Baseline/broker.remote_log/recv.test.log
+++ b/testing/btest/Baseline/broker.remote_log/recv.test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2015-01-26-22-47-11
+#open	2017-02-27-16-21-20
 #fields	msg	num
 #types	string	count
 ping	0
@@ -12,4 +12,4 @@ ping	2
 ping	3
 ping	4
 ping	5
-#close	2015-01-26-22-47-11
+#close	2017-02-27-16-21-20
diff --git a/testing/btest/Baseline/broker.remote_log/send.test.log b/testing/btest/Baseline/broker.remote_log/send.test.log
index 0d6dae756c..93862c656b 100644
--- a/testing/btest/Baseline/broker.remote_log/send.test.log
+++ b/testing/btest/Baseline/broker.remote_log/send.test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2015-01-26-22-47-11
+#open	2017-02-27-16-21-19
 #fields	msg	num
 #types	string	count
 ping	0
@@ -12,4 +12,4 @@ ping	2
 ping	3
 ping	4
 ping	5
-#close	2015-01-26-22-47-11
+#close	2017-02-27-16-21-20
diff --git a/src/analyzer/protocol/ayiya/events.bif b/testing/btest/Baseline/broker.remote_log_types/recv.recv.out
similarity index 100%
rename from src/analyzer/protocol/ayiya/events.bif
rename to testing/btest/Baseline/broker.remote_log_types/recv.recv.out
diff --git a/testing/btest/Baseline/broker.remote_log_types/recv.test.log b/testing/btest/Baseline/broker.remote_log_types/recv.test.log
new file mode 100644
index 0000000000..eb2b066cd4
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_types/recv.test.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-02-11-02-17-35
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+T	-42	Test::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1486779455.703438	100.000000	hurz	1	AA	(empty)	10,20,30	(empty)	foo\x0a{ \x0aif (0 < i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-02-11-02-17-35
diff --git a/testing/btest/Baseline/broker.remote_log_types/send.send.out b/testing/btest/Baseline/broker.remote_log_types/send.send.out
new file mode 100644
index 0000000000..632279e697
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_types/send.send.out
@@ -0,0 +1 @@
+Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
diff --git a/testing/btest/Baseline/broker.remote_log_types/send.test.log b/testing/btest/Baseline/broker.remote_log_types/send.test.log
new file mode 100644
index 0000000000..59987c5998
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_types/send.test.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-02-11-02-17-35
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+T	-42	Test::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1486779455.703438	100.000000	hurz	1	AA	(empty)	10,20,30	(empty)	foo\x0a{ \x0aif (0 < i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-02-11-02-17-36
diff --git a/testing/btest/Baseline/core.erspan/tunnel.log b/testing/btest/Baseline/core.erspan/tunnel.log
new file mode 100644
index 0000000000..76d2784a7a
--- /dev/null
+++ b/testing/btest/Baseline/core.erspan/tunnel.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2017-02-03-20-27-11
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1442309933.472798	CHhAvVGS1DHFjwGM9	10.200.0.3	0	10.200.0.224	0	Tunnel::GRE	Tunnel::DISCOVER
+#close	2017-02-03-20-27-11
diff --git a/testing/btest/Baseline/core.history-flip/conn.log b/testing/btest/Baseline/core.history-flip/conn.log
index b04a28b1cb..4c22a6484b 100644
--- a/testing/btest/Baseline/core.history-flip/conn.log
+++ b/testing/btest/Baseline/core.history-flip/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-17-58-11
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	(empty)
-#close	2016-07-13-17-58-11
+#open	2017-01-30-23-13-15
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
+1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	(empty)	00:d0:03:3b:f4:00	00:b0:c2:86:ec:00
+#close	2017-01-30-23-13-15
diff --git a/testing/btest/Baseline/core.pcap.dumper/output b/testing/btest/Baseline/core.pcap.dumper/output
index c32a9e1b5e..1fef85cb6f 100644
--- a/testing/btest/Baseline/core.pcap.dumper/output
+++ b/testing/btest/Baseline/core.pcap.dumper/output
@@ -1 +1,4 @@
-00000010  ff ff 00 00 01 00 00 00  1d a2 b2 4e 73 00 07 00  | | 00000010  00 20 00 00 01 00 00 00  1d a2 b2 4e 73 00 07 00  |
+2c2
+< 00000010  ff ff 00 00 01 00 00 00  1d a2 b2 4e 73 00 07 00  |...........Ns...|
+---
+> 00000010  00 20 00 00 01 00 00 00  1d a2 b2 4e 73 00 07 00  |. .........Ns...|
diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
index a7b6c3b972..31087d58cc 100644
--- a/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	files
-#open	2016-07-13-16-13-01
-#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
-#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
-1395939406.177079	FAb5m22Dhe2Zi95anf	192.168.56.101	192.168.56.1	ClEkJM2Vm5giqnMf4h	FTP_DATA	0	DATA_EVENT	text/plain	-	0.000000	-	F	270	-	0	0	F	-	-	-	-	-
-1395939411.364462	FhI0ao2FNTjabdfSBd	192.168.56.101	192.168.56.1	C4J4Th3PJpwUYZZ6gc	FTP_DATA	0	DATA_EVENT	text/plain	-	150.490904	-	F	23822	-	5416642848	0	F	-	-	-	-	-
-#close	2016-07-13-16-13-01
+#open	2017-01-25-07-03-11
+#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
+#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
+1395939406.177079	FAb5m22Dhe2Zi95anf	192.168.56.101	192.168.56.1	ClEkJM2Vm5giqnMf4h	FTP_DATA	0	DATA_EVENT	text/plain	-	0.000000	-	F	270	-	0	0	F	-	-	-	-	-	-	-
+1395939411.364462	FhI0ao2FNTjabdfSBd	192.168.56.101	192.168.56.1	C4J4Th3PJpwUYZZ6gc	FTP_DATA	0	DATA_EVENT	text/plain	-	150.490904	-	F	23822	-	5416642848	0	F	-	-	-	-	-	-	-
+#close	2017-01-25-07-03-11
diff --git a/testing/btest/Baseline/core.tunnels.gre/ssh.log b/testing/btest/Baseline/core.tunnels.gre/ssh.log
index a3f6d0d738..7ffd15a845 100644
--- a/testing/btest/Baseline/core.tunnels.gre/ssh.log
+++ b/testing/btest/Baseline/core.tunnels.gre/ssh.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssh
-#open	2016-10-13-19-54-38
+#open	2017-08-01-16-46-22
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
 #types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
-1055289978.855137	CtPZjS20MLrsMUOJi2	66.59.111.190	40264	172.28.2.3	22	2	-	-	-	SSH-2.0-OpenSSH_3.6.1p1	SSH-1.99-OpenSSH_3.1p1	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07
-#close	2016-10-13-19-54-38
+1055289978.855137	CtPZjS20MLrsMUOJi2	66.59.111.190	40264	172.28.2.3	22	2	-	0	-	SSH-2.0-OpenSSH_3.6.1p1	SSH-1.99-OpenSSH_3.1p1	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07
+#close	2017-08-01-16-46-22
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index fc4caff34e..52a660261c 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-10-07-19-25-03
+#open	2017-05-02-20-38-47
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -58,11 +58,11 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/top-k.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro
     build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro
     build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro
     build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro
@@ -73,7 +73,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_GSSAPI.types.bif.bro
     build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro
     build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro
     build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro
@@ -95,7 +94,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro
     build/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro
@@ -128,8 +126,11 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.types.bif.bro
     build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro
@@ -146,7 +147,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
@@ -157,6 +157,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro
     build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
     build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
     build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro
@@ -167,4 +168,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2016-10-07-19-25-03
+#close	2017-05-02-20-38-47
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 603e9d7007..75ef872a95 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-10-07-19-25-14
+#open	2017-05-02-20-39-05
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -58,11 +58,11 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/top-k.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro
     build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro
     build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro
     build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro
@@ -73,7 +73,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_GSSAPI.types.bif.bro
     build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro
     build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro
     build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro
@@ -95,7 +94,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro
     build/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro
@@ -128,8 +126,11 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.types.bif.bro
     build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro
@@ -146,7 +147,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
@@ -157,6 +157,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro
     build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
     build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
     build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro
@@ -284,6 +285,7 @@ scripts/base/init-default.bro
         scripts/base/protocols/ssl/consts.bro
         scripts/base/protocols/ssl/main.bro
         scripts/base/protocols/ssl/mozilla-ca-list.bro
+        scripts/base/protocols/ssl/ct-list.bro
         scripts/base/protocols/ssl/files.bro
           scripts/base/files/x509/__load__.bro
             scripts/base/files/x509/main.bro
@@ -355,4 +357,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-filtered-trace.bro
   scripts/base/misc/version.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2016-10-07-19-25-14
+#close	2017-05-02-20-39-05
diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out
index 9ff209d2e6..09a08914fe 100644
--- a/testing/btest/Baseline/coverage.find-bro-logs/out
+++ b/testing/btest/Baseline/coverage.find-bro-logs/out
@@ -30,6 +30,7 @@ netcontrol_shunt
 notice
 notice_alarm
 ntlm
+ocsp
 open_flow
 packet_filter
 pe
diff --git a/testing/btest/Baseline/language.expire-expr-error/output b/testing/btest/Baseline/language.expire-expr-error/output
index 544527fe23..cf43dd4c80 100644
--- a/testing/btest/Baseline/language.expire-expr-error/output
+++ b/testing/btest/Baseline/language.expire-expr-error/output
@@ -1,2 +1,2 @@
-error in /home/robin/bro/master/testing/btest/.tmp/language.expire-expr-error/expire-expr-error.bro, line 7: no such index (x[kaputt])
+error in /home/robin/bro/master/testing/btest/.tmp/language.expire-expr-error/expire-expr-error.bro, line 8: no such index (x[kaputt])
 received termination signal
diff --git a/testing/btest/Baseline/language.expire-redef/output b/testing/btest/Baseline/language.expire-redef/output
index d5a745e7f3..42bb1b485c 100644
--- a/testing/btest/Baseline/language.expire-redef/output
+++ b/testing/btest/Baseline/language.expire-redef/output
@@ -1,5 +1,3 @@
-Run 0
 Run 1
 Expired: 0 --> some data
 Run 2
-Run 3
diff --git a/testing/btest/Baseline/language.no-module/out b/testing/btest/Baseline/language.no-module/out
index 5b011543b5..e7a3607e96 100644
--- a/testing/btest/Baseline/language.no-module/out
+++ b/testing/btest/Baseline/language.no-module/out
@@ -1,4 +1,5 @@
 function (PASS)
 global variable (PASS)
+fully qualified global variable (PASS)
 const (PASS)
 event (PASS)
diff --git a/testing/btest/Baseline/language.uninitialized-local2/out b/testing/btest/Baseline/language.uninitialized-local2/out
new file mode 100644
index 0000000000..75d09294e6
--- /dev/null
+++ b/testing/btest/Baseline/language.uninitialized-local2/out
@@ -0,0 +1,2 @@
+error in /home/jon/projects/bro/bro/testing/btest/.tmp/language.uninitialized-local2/uninitialized-local2.bro, line 19: value used but not set (var_b)
+var_a is, baz
diff --git a/testing/btest/Baseline/plugins.api-version-mismatch/output b/testing/btest/Baseline/plugins.api-version-mismatch/output
deleted file mode 100644
index 04f3cdd3a2..0000000000
--- a/testing/btest/Baseline/plugins.api-version-mismatch/output
+++ /dev/null
@@ -1 +0,0 @@
-fatal error in /home/robin/bro/plugins/scripts/base/init-bare.bro, line 1: plugin's API version does not match Bro (expected 2, got 42 in /home/robin/bro/plugins/testing/btest/.tmp/plugins.api-version-mismatch/build//lib/XXX)
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 177cdfb0d7..9f231d821f 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -150,8 +150,17 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/pkix-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-ca-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-user-cert)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_PE, application/x-dosexec)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/pkix-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-ca-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-user-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/pkix-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/x-x509-ca-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/x-x509-user-cert)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_types, <frame>, (Files::ANALYZER_PE, {application/x-dosexec})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> <no result>
@@ -247,7 +256,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -377,7 +386,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -410,15 +419,12 @@
 0.000000   MetaHookPost  CallFunction(reading_live_traffic, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_traces, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$)) -> <no result>
-0.000000   MetaHookPost  CallFunction(strftime, <frame>, (%Y, 1475869873.545611)) -> <no result>
 0.000000   MetaHookPost  CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F)) -> <no result>
 0.000000   MetaHookPost  CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, )) -> <no result>
-0.000000   MetaHookPost  CallFunction(to_count, <frame>, (2016)) -> <no result>
 0.000000   MetaHookPost  DrainEvents() -> <void>
 0.000000   MetaHookPost  LoadFile(../main) -> -1
 0.000000   MetaHookPost  LoadFile(../plugin) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_ARP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_AYIYA.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_AsciiReader.ascii.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_AsciiWriter.ascii.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_BackDoor.events.bif.bro) -> -1
@@ -427,6 +433,7 @@
 0.000000   MetaHookPost  LoadFile(./Bro_BitTorrent.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_ConnSize.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_ConnSize.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_DCE_RPC.consts.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_DCE_RPC.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_DCE_RPC.types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_DHCP.events.bif.bro) -> -1
@@ -441,7 +448,6 @@
 0.000000   MetaHookPost  LoadFile(./Bro_FileHash.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_Finger.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_GSSAPI.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_GSSAPI.types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_GTPv1.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_Gnutella.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_HTTP.events.bif.bro) -> -1
@@ -466,7 +472,6 @@
 0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_NoneWriter.none.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_PE.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_PIA.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_POP3.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_RADIUS.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_RDP.events.bif.bro) -> -1
@@ -475,6 +480,8 @@
 0.000000   MetaHookPost  LoadFile(./Bro_RPC.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_RawReader.raw.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SIP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SMB.consts.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SMB.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_check_directory.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_close.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_create_directory.bif.bro) -> -1
@@ -499,6 +506,7 @@
 0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_session_setup.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_set_info.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_write.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SMB.types.bif.bro) -> -1
@@ -524,9 +532,9 @@
 0.000000   MetaHookPost  LoadFile(./Bro_Unified2.types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_X509.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_X509.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_X509.ocsp_events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_X509.types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_XMPP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ZIP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./acld) -> -1
 0.000000   MetaHookPost  LoadFile(./addrs) -> -1
 0.000000   MetaHookPost  LoadFile(./analyzer.bif.bro) -> -1
@@ -544,6 +552,7 @@
 0.000000   MetaHookPost  LoadFile(./consts) -> -1
 0.000000   MetaHookPost  LoadFile(./consts.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./contents) -> -1
+0.000000   MetaHookPost  LoadFile(./ct-list) -> -1
 0.000000   MetaHookPost  LoadFile(./data.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./dcc-send) -> -1
 0.000000   MetaHookPost  LoadFile(./debug) -> -1
@@ -714,6 +723,8 @@
 0.000000   MetaHookPost  LoadFile(base<...>/weird) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/x509) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/xmpp) -> -1
+0.000000   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> <void>
+0.000000   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>) -> true
 0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
 0.000000   MetaHookPost  QueueEvent(bro_init()) -> false
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
@@ -869,8 +880,17 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
-0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
+0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)}))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/pkix-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-ca-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-user-cert))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_PE, application/x-dosexec))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/pkix-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-ca-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-user-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/pkix-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/x-x509-ca-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/x-x509-user-cert))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_types, <frame>, (Files::ANALYZER_PE, {application/x-dosexec}))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
@@ -966,7 +986,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -1096,7 +1116,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1129,15 +1149,12 @@
 0.000000   MetaHookPre   CallFunction(reading_live_traffic, <frame>, ())
 0.000000   MetaHookPre   CallFunction(reading_traces, <frame>, ())
 0.000000   MetaHookPre   CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$))
-0.000000   MetaHookPre   CallFunction(strftime, <frame>, (%Y, 1475869873.545611))
 0.000000   MetaHookPre   CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F))
 0.000000   MetaHookPre   CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, ))
-0.000000   MetaHookPre   CallFunction(to_count, <frame>, (2016))
 0.000000   MetaHookPre   DrainEvents()
 0.000000   MetaHookPre   LoadFile(../main)
 0.000000   MetaHookPre   LoadFile(../plugin)
 0.000000   MetaHookPre   LoadFile(./Bro_ARP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_AYIYA.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_AsciiReader.ascii.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_AsciiWriter.ascii.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_BackDoor.events.bif.bro)
@@ -1146,6 +1163,7 @@
 0.000000   MetaHookPre   LoadFile(./Bro_BitTorrent.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_ConnSize.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_ConnSize.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_DCE_RPC.consts.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_DCE_RPC.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_DCE_RPC.types.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_DHCP.events.bif.bro)
@@ -1160,7 +1178,6 @@
 0.000000   MetaHookPre   LoadFile(./Bro_FileHash.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_Finger.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_GSSAPI.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_GSSAPI.types.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_GTPv1.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_Gnutella.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_HTTP.events.bif.bro)
@@ -1185,7 +1202,6 @@
 0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_NoneWriter.none.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_PE.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_PIA.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_POP3.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_RADIUS.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_RDP.events.bif.bro)
@@ -1194,6 +1210,8 @@
 0.000000   MetaHookPre   LoadFile(./Bro_RPC.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_RawReader.raw.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SIP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SMB.consts.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SMB.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_check_directory.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_close.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_create_directory.bif.bro)
@@ -1218,6 +1236,7 @@
 0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_session_setup.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_set_info.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_tree_connect.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_tree_disconnect.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_write.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SMB.types.bif.bro)
@@ -1243,9 +1262,9 @@
 0.000000   MetaHookPre   LoadFile(./Bro_Unified2.types.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_X509.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_X509.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_X509.ocsp_events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_X509.types.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_XMPP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_ZIP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./acld)
 0.000000   MetaHookPre   LoadFile(./addrs)
 0.000000   MetaHookPre   LoadFile(./analyzer.bif.bro)
@@ -1263,6 +1282,7 @@
 0.000000   MetaHookPre   LoadFile(./consts)
 0.000000   MetaHookPre   LoadFile(./consts.bro)
 0.000000   MetaHookPre   LoadFile(./contents)
+0.000000   MetaHookPre   LoadFile(./ct-list)
 0.000000   MetaHookPre   LoadFile(./data.bif.bro)
 0.000000   MetaHookPre   LoadFile(./dcc-send)
 0.000000   MetaHookPre   LoadFile(./debug)
@@ -1433,6 +1453,8 @@
 0.000000   MetaHookPre   LoadFile(base<...>/weird)
 0.000000   MetaHookPre   LoadFile(base<...>/x509)
 0.000000   MetaHookPre   LoadFile(base<...>/xmpp)
+0.000000   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)})
+0.000000   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>)
 0.000000   MetaHookPre   QueueEvent(NetControl::init())
 0.000000   MetaHookPre   QueueEvent(bro_init())
 0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
@@ -1587,8 +1609,17 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Cluster::is_enabled()
-0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})
+0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/pkix-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-ca-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-user-cert)
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_PE, application/x-dosexec)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/pkix-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/x-x509-ca-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/x-x509-user-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/pkix-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-ca-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-user-cert)
 0.000000 | HookCallFunction Files::register_for_mime_types(Files::ANALYZER_PE, {application/x-dosexec})
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])
@@ -1684,7 +1715,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1814,7 +1845,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -1847,16 +1878,16 @@
 0.000000 | HookCallFunction reading_live_traffic()
 0.000000 | HookCallFunction reading_traces()
 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$)
-0.000000 | HookCallFunction strftime(%Y, 1475869873.545611)
 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F)
 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, )
-0.000000 | HookCallFunction to_count(2016)
 0.000000 | HookDrainEvents
 0.000000 | HookLoadFile  ..<...>/bro
 0.000000 | HookLoadFile  .<...>/bro
 0.000000 | HookLoadFile  <...>/bro
 0.000000 | HookLoadFile  base<...>/bif
 0.000000 | HookLoadFile  base<...>/bro
+0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
+0.000000 | HookLogWrite  packet_filter [ts=1498500921.180040, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
@@ -1871,6 +1902,7 @@
 1362692526.869344   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692526.869344   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.869344   MetaHookPost  SetupAnalyzerTree(1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80) -> <void>
 1362692526.869344   MetaHookPost  UpdateNetworkTime(1362692526.869344) -> <void>
 1362692526.869344   MetaHookPre   BroObjDtor(<void ptr>)
 1362692526.869344   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
@@ -1883,6 +1915,7 @@
 1362692526.869344   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692526.869344   MetaHookPre   QueueEvent(filter_change_tracking())
 1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   SetupAnalyzerTree(1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80)
 1362692526.869344   MetaHookPre   UpdateNetworkTime(1362692526.869344)
 1362692526.869344  | HookBroObjDtor
 1362692526.869344  | HookUpdateNetworkTime 1362692526.869344
@@ -1896,6 +1929,7 @@
 1362692526.869344 | HookQueueEvent ChecksumOffloading::check()
 1362692526.869344 | HookQueueEvent filter_change_tracking()
 1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookSetupAnalyzerTree 1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80
 1362692526.869344 | RequestObjDtor ChecksumOffloading::check()
 1362692526.939084   MetaHookPost  CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5)) -> <no result>
 1362692526.939084   MetaHookPost  CallFunction(addr_to_subnet, <frame>, (141.142.228.5)) -> <no result>
@@ -2043,10 +2077,10 @@
 1362692527.008509 | HookDrainEvents
 1362692527.009512   MetaHookPost  CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 524288)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
@@ -2089,10 +2123,10 @@
 1362692527.009512   MetaHookPost  UpdateNetworkTime(1362692527.009512) -> <void>
 1362692527.009512   MetaHookPre   CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3))
 1362692527.009512   MetaHookPre   CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 524288))
-1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -2136,10 +2170,10 @@
 1362692527.009512  | HookUpdateNetworkTime 1362692527.009512
 1362692527.009512 | HookCallFunction Files::__enable_reassembly(FakNcS1Jfe01uljb3)
 1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 524288)
-1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)
 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199)
 1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
@@ -2196,12 +2230,12 @@
 1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
@@ -2210,7 +2244,11 @@
 1362692527.009775   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009775   MetaHookPost  DrainEvents() -> <void>
-1362692527.009775   MetaHookPost  QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> false
+1362692527.009775   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}) -> <void>
+1362692527.009775   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}) -> <void>
+1362692527.009775   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}, <void ptr>) -> true
+1362692527.009775   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, <void ptr>) -> true
+1362692527.009775   MetaHookPost  QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
@@ -2221,12 +2259,12 @@
 1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
-1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
 1362692527.009775   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009775   MetaHookPre   CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
+1362692527.009775   MetaHookPre   CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]))
 1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
 1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -2235,7 +2273,11 @@
 1362692527.009775   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009775   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009775   MetaHookPre   DrainEvents()
-1362692527.009775   MetaHookPre   QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
+1362692527.009775   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)})
+1362692527.009775   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])})
+1362692527.009775   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}, <void ptr>)
+1362692527.009775   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, <void ptr>)
+1362692527.009775   MetaHookPre   QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]))
 1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -2247,12 +2289,12 @@
 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199)
 1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
+1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::__write(HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
-1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
+1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
+1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])
 1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
 1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
@@ -2261,7 +2303,11 @@
 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookDrainEvents
-1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
+1362692527.009775 | HookLogInit   files 1/1 {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}
+1362692527.009775 | HookLogInit   http 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}
+1362692527.009775 | HookLogWrite  files [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts=192.150.187.43, rx_hosts=141.142.228.5, conn_uids=CHhAvVGS1DHFjwGM9, source=HTTP, depth=0, analyzers=, mime_type=text/plain, filename=<uninitialized>, duration=0.000263, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
+1362692527.009775 | HookLogWrite  http [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, trans_depth=1, method=GET, host=bro.org, uri=<...>/plain]
+1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])
 1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
@@ -2295,6 +2341,7 @@
 1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
@@ -2314,6 +2361,8 @@
 1362692527.080972   MetaHookPost  CallFunction(sub_bytes, <frame>, (HTTP, 0, 1)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(to_lower, <frame>, (HTTP)) -> <no result>
 1362692527.080972   MetaHookPost  DrainEvents() -> <void>
+1362692527.080972   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}) -> <void>
+1362692527.080972   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, <void ptr>) -> true
 1362692527.080972   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692527.080972   MetaHookPost  QueueEvent(bro_done()) -> false
 1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
@@ -2325,6 +2374,7 @@
 1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
 1362692527.080972   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
@@ -2344,6 +2394,8 @@
 1362692527.080972   MetaHookPre   CallFunction(sub_bytes, <frame>, (HTTP, 0, 1))
 1362692527.080972   MetaHookPre   CallFunction(to_lower, <frame>, (HTTP))
 1362692527.080972   MetaHookPre   DrainEvents()
+1362692527.080972   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])})
+1362692527.080972   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, <void ptr>)
 1362692527.080972   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692527.080972   MetaHookPre   QueueEvent(bro_done())
 1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
@@ -2356,6 +2408,7 @@
 1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction KRB::do_log([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
 1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
@@ -2375,6 +2428,8 @@
 1362692527.080972 | HookCallFunction sub_bytes(HTTP, 0, 1)
 1362692527.080972 | HookCallFunction to_lower(HTTP)
 1362692527.080972 | HookDrainEvents
+1362692527.080972 | HookLogInit   conn 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}
+1362692527.080972 | HookLogWrite  conn [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=]
 1362692527.080972 | HookQueueEvent ChecksumOffloading::check()
 1362692527.080972 | HookQueueEvent bro_done()
 1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
diff --git a/testing/btest/Baseline/plugins.logging-hooks/output b/testing/btest/Baseline/plugins.logging-hooks/output
new file mode 100644
index 0000000000..54330845bc
--- /dev/null
+++ b/testing/btest/Baseline/plugins.logging-hooks/output
@@ -0,0 +1 @@
+1488216470.960453 | HookLogInit   ssh 1/1 {b (bool), i (int), e (enum), c (count), p (port), sn (subnet), a (addr), d (double), t (time), iv (interval), s (string), sc (set[count]), ss (set[string]), se (set[string]), vc (vector[count]), ve (vector[string]), f (func)}
diff --git a/testing/btest/Baseline/plugins.logging-hooks/ssh.log b/testing/btest/Baseline/plugins.logging-hooks/ssh.log
new file mode 100644
index 0000000000..4b62eb8aca
--- /dev/null
+++ b/testing/btest/Baseline/plugins.logging-hooks/ssh.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	EMPTY
+#unset_field	-
+#path	ssh
+#open	2017-02-27-17-27-50
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+F	-2	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1488216470.960453	100.000000	hurz	2,4,1,3	BB,AA,CC	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+T	-	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1488216470.960453	100.000000	hurz	2,4,1,3	BB,AA,CC	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-02-27-17-27-50
diff --git a/testing/btest/Baseline/plugins.writer/output b/testing/btest/Baseline/plugins.writer/output
index 0e8466831e..f17b55dad2 100644
--- a/testing/btest/Baseline/plugins.writer/output
+++ b/testing/btest/Baseline/plugins.writer/output
@@ -9,7 +9,7 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0)
 [conn] 1340213162.160367|CUM0KZ3MLUfNB0cl11|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
 [conn] 1340213226.561757|CmES5u32sYpV7JYN|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
 [conn] 1340213290.981995|CP5puj4I8PtEU4qzYg|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
-[files] 1340213020.732547|FBtZ7y1ppK8iIeY622|60.190.189.214|10.0.0.55|ClEkJM2Vm5giqnMf4h|HTTP|0||image/gif|-|0.000034|-|F|1368|1368|0|0|F|-|-|-|-|-
+[files] 1340213020.732547|FBtZ7y1ppK8iIeY622|60.190.189.214|10.0.0.55|ClEkJM2Vm5giqnMf4h|HTTP|0||image/gif|-|0.000034|-|F|1368|1368|0|0|F|-|-|-|-|-|-|-
 [http] 1340213019.013158|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|1|GET|www.osnews.com|/images/printer2.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] 1340213019.013426|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|2|GET|www.osnews.com|/img2/shorturl.jpg|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] 1340213019.580162|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|3|GET|www.osnews.com|/images/icons/9.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
@@ -17,6 +17,6 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0)
 [http] 1340213020.732963|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] 1340213021.300269|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] 1340213021.861584|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
-[packet_filter] 1468426456.812140|bro|ip or not ip|T|T
+[packet_filter] 1485327742.161604|bro|ip or not ip|T|T
 [socks] 1340213015.276495|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|-|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688
 [tunnel] 1340213015.276495|-|10.0.0.55|0|60.190.189.214|8124|Tunnel::SOCKS|Tunnel::DISCOVER
diff --git a/testing/btest/Baseline/scripts.base.files.extract.limit/files.log b/testing/btest/Baseline/scripts.base.files.extract.limit/files.log
new file mode 100644
index 0000000000..f9ab216124
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.extract.limit/files.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	files
+#open	2017-01-25-06-12-45
+#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	extracted	extracted_cutoff	extracted_size	md5	sha1	sha256
+#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	bool	count	string	string	string
+1363628702.262149	FGy9Oo9JLY8SFxMJ2	141.142.192.162	141.142.228.5	ClEkJM2Vm5giqnMf4h	FTP_DATA	0	EXTRACT	text/plain	-	0.001059	-	F	16557	-	0	0	F	-	2	T	6000	-	-	-
+#close	2017-01-25-06-12-45
diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout
new file mode 100644
index 0000000000..e11616d745
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout
@@ -0,0 +1,12 @@
+0, Symantec log, 1474927230.876, 4, 3
+0, Google 'Rocketeer' log, 1474927232.863, 4, 3
+0, Google 'Aviator' log, 1474927232.112, 4, 3
+0, Google 'Pilot' log, 1474927232.304, 4, 3
+Verify of, Symantec log, T
+Bad verify of, Symantec log, F
+Verify of, Google 'Rocketeer' log, T
+Bad verify of, Google 'Rocketeer' log, F
+Verify of, Google 'Aviator' log, T
+Bad verify of, Google 'Aviator' log, F
+Verify of, Google 'Pilot' log, T
+Bad verify of, Google 'Pilot' log, F
diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout
new file mode 100644
index 0000000000..5384f4e6b7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout
@@ -0,0 +1,6 @@
+0, Google 'Pilot' log, 1406997753.366, 4, 3
+Verify of, Google 'Pilot' log, T
+Bad verify of, Google 'Pilot' log, F
+0, Google 'Aviator' log, 1407002457.456, 4, 3
+Verify of, Google 'Aviator' log, T
+Bad verify of, Google 'Aviator' log, F
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log
index 857ff5a422..8b98886c93 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	files
-#open	2016-07-13-16-14-18
-#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
-#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
-1362692527.009512	FakNcS1Jfe01uljb3	192.150.187.43	141.142.228.5	CHhAvVGS1DHFjwGM9	HTTP	0	MD5	text/plain	-	0.000263	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	-	-	-
-#close	2016-07-13-16-14-18
+#open	2017-01-25-07-04-25
+#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
+#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
+1362692527.009512	FakNcS1Jfe01uljb3	192.150.187.43	141.142.228.5	CHhAvVGS1DHFjwGM9	HTTP	0	MD5	text/plain	-	0.000263	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	-	-	-	-	-
+#close	2017-01-25-07-04-25
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log
index 4f2d661ae7..b692cadc38 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	files
-#open	2016-07-13-16-14-18
-#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
-#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
-1362692527.009512	FakNcS1Jfe01uljb3	192.150.187.43	141.142.228.5	CHhAvVGS1DHFjwGM9	HTTP	0	MD5,SHA1	text/plain	-	0.000263	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	-	-
-#close	2016-07-13-16-14-18
+#open	2017-01-25-07-04-39
+#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
+#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
+1362692527.009512	FakNcS1Jfe01uljb3	192.150.187.43	141.142.228.5	CHhAvVGS1DHFjwGM9	HTTP	0	MD5,SHA1	text/plain	-	0.000263	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	-	-	-	-
+#close	2017-01-25-07-04-39
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.byteranges/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.byteranges/files.log
new file mode 100644
index 0000000000..a8a12d0d2b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.byteranges/files.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	files
+#open	2017-01-31-22-51-55
+#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
+#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
+1258867934.558264	F2xow8TIkvHG4Zz41	198.189.255.75	192.168.1.105	CHhAvVGS1DHFjwGM9	HTTP	0	EXTRACT	-	-	0.046240	-	F	54229	605292323	4244449	0	T	-	-	-	-	extract-1258867934.558264-HTTP-F2xow8TIkvHG4Zz41	T	4000
+#close	2017-01-31-22-51-55
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log
index 9902524a1f..98923eb2d1 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	files
-#open	2016-07-13-16-14-21
-#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
-#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
-1362692527.009512	FakNcS1Jfe01uljb3	192.150.187.43	141.142.228.5	CHhAvVGS1DHFjwGM9	HTTP	0	MD5,EXTRACT,DATA_EVENT,SHA1,SHA256	text/plain	-	0.000263	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18	FakNcS1Jfe01uljb3-file
-#close	2016-07-13-16-14-21
+#open	2017-01-25-07-04-52
+#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
+#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
+1362692527.009512	FakNcS1Jfe01uljb3	192.150.187.43	141.142.228.5	CHhAvVGS1DHFjwGM9	HTTP	0	MD5,EXTRACT,DATA_EVENT,SHA1,SHA256	text/plain	-	0.000263	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18	FakNcS1Jfe01uljb3-file	F	-
+#close	2017-01-25-07-04-52
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out
index d7c0aef00d..90e5e79ef0 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out
@@ -60,10 +60,8 @@ FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
 file #4, 1406, 0
 [orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]
-FILE_BOF_BUFFER
-0\x82\x05z0\x82\x04b\xa0\x03\x02
 MIME_TYPE
-application/pkix-cert
+application/x-x509-user-cert
 source: SSL
 MD5: 1bf9696d9f337805383427e88781d001
 SHA1: f5ccb1a724133607548b00d8eb402efca3076d58
@@ -73,10 +71,8 @@ FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
 file #5, 1092, 0
 [orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]
-FILE_BOF_BUFFER
-0\x82\x04@0\x82\x03(\xa0\x03\x02
 MIME_TYPE
-application/pkix-cert
+application/x-x509-ca-cert
 source: SSL
 MD5: 48f0e38385112eeca5fc9ffd402eaecd
 SHA1: 8e8321ca08b08e3726fe1d82996884eeb5f0d655
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out b/testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out
new file mode 100644
index 0000000000..3406639d29
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out
@@ -0,0 +1,26 @@
+{
+[-43] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242 HOHOHO, sc={
+2,
+4,
+1,
+3
+}, ss={
+BB,
+AA,
+CC
+}, se={
+
+}, vc=[10, 20, 30], ve=[]],
+[-42] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242, sc={
+2,
+4,
+1,
+3
+}, ss={
+BB,
+AA,
+CC
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
+}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr
index 20207bcf94..8cd0c5ab6c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr
@@ -1,2 +1,2 @@
-warning: Value not 'IdoNot::Exist' for stream 'enum' is not a valid enum.
+warning: Value 'IdoNot::Exist' for stream 'enum' is not a valid enum.
 received termination signal
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr
new file mode 100644
index 0000000000..337cdcda87
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr
@@ -0,0 +1,8 @@
+warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
+warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
+warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
+error: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
+error: ../does-not-exist.dat/Input::READER_ASCII: Init failed
+error: ../does-not-exist.dat/Input::READER_ASCII: terminating thread
+warning: ../does-not-exist.dat/Input::READER_ASCII: Could not get stat for ../does-not-exist.dat
+received termination signal
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
new file mode 100644
index 0000000000..39309bc8cf
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
@@ -0,0 +1,5 @@
+now it does
+and more!
+now it does
+and more!
+Streaming still works
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
index dfa922f88f..a01d119b81 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
@@ -3,20 +3,31 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-06-15-19-11-06
+#open	2017-02-09-18-29-44
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1466017866.348490	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1466017867.349583	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1466017868.349656	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-#close	2016-06-15-19-11-12
+1486664984.510411	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1486664987.510937	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1486664990.511265	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+1486664993.512024	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+1486664996.512265	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+#close	2017-02-09-18-30-03
+-- Run 1 --
 Trigger: 1.2.3.4
 Seen: 1.2.3.4
+-- Run 2 --
+Trigger: 1.2.3.4
+Reinsert: 1.2.3.4
+Seen: 1.2.3.4
+-- Run 3 --
 Trigger: 1.2.3.4
 Seen: 1.2.3.4
+-- Run 4 --
+Trigger: 1.2.3.4
+Seen: 1.2.3.4
+-- Run 5 --
 Trigger: 1.2.3.4
 Seen: 1.2.3.4
 Expired: 1.2.3.4
-Trigger: 1.2.3.4
-Trigger: 1.2.3.4
+-- Run 6 --
 Trigger: 1.2.3.4
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
index 7b4e5003c4..69606c1407 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	reporter
-#open	2016-09-20-22-35-58
+#open	2017-02-11-16-36-40
 #fields	ts	level	message	location
 #types	time	enum	string	string
-0.000000	Reporter::INFO	Tried to remove non-existing item '192.168.1.1' (Intel::ADDR).	/home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 506-507
+0.000000	Reporter::INFO	Tried to remove non-existing item '192.168.1.1' (Intel::ADDR).	/home/johanna/bro/master/scripts/base/frameworks/intel/./main.bro, lines 520-521
 0.000000	Reporter::INFO	received termination signal	(empty)
-#close	2016-09-20-22-35-59
+#close	2017-02-11-16-36-40
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log
new file mode 100644
index 0000000000..c6979d60b9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh-uncompressed
+#open	2017-04-18-16-16-16
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1215620010.543210	100.000000	hurz	2,4,1,3	BB,AA,CC	(empty)	10,20,30	(empty)	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-04-18-16-16-16
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log
new file mode 100644
index 0000000000..22bac43cef
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#open	2017-04-18-16-15-17
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1215620010.543210	100.000000	hurz	2,4,1,3	BB,AA,CC	(empty)	10,20,30	(empty)	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-04-18-16-15-17
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
index 70c1a28ee2..6170cb6ce0 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
@@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol
-#open	2016-03-24-22-04-41
+#open	2017-04-07-17-26-05
 #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
 #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Acld-bro/event/netcontroltest
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	waiting for plugins to initialize	-	-	-	-
-1458857080.863419	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Acld-bro/event/netcontroltest
-1458857080.863419	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
-1458857080.887618	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
-1458857080.887618	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
-1458857080.887618	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
-1458857080.888169	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	blockhosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
-1458857080.888169	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
-1458857080.888169	3	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	droptcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
-1458857080.888169	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
-1458857080.888169	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	drop	0	36000.000000	-	Acld-bro/event/netcontroltest
-1458857080.888169	4	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
-1458857080.888169	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	restorehosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
-1458857080.888169	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	restoretcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
-1458857080.888169	4	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	restore	0	36000.000000	-	Acld-bro/event/netcontroltest
-#close	2016-03-24-22-04-41
+1491585965.002956	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Acld-bro/event/netcontroltest
+1491585965.002956	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+1491585965.027155	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
+1491585965.027155	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
+1491585965.027155	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
+1491585965.027706	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	blockhosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
+1491585965.027706	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
+1491585965.027706	3	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	droptcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
+1491585965.027706	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
+1491585965.027706	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	drop	0	36000.000000	-	Acld-bro/event/netcontroltest
+1491585965.027706	4	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
+1491585965.027706	2	NetControl::ERROR	-	-	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	restorehosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
+1491585965.027706	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	restoretcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
+1491585965.027706	4	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	restore	0	36000.000000	-	Acld-bro/event/netcontroltest
+#close	2017-04-07-17-26-05
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
index 0d0ce0fccd..a0a9354726 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
@@ -2,6 +2,6 @@ Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
 rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule exists, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
-rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule error, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule removed, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log
deleted file mode 100644
index 974349e229..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log
+++ /dev/null
@@ -1,23 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	netcontrol
-#open	2016-08-12-17-38-49
-#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
-#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
-1471023529.752740	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
-1471023529.752740	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
-1471023529.752740	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
-1471023532.819263	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	connection drop worker-1	Debug-All
-1471023532.819263	worker-1:2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023532.819263	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	connection drop worker-1	Debug-All
-1471023532.819263	worker-1:2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023532.920126	worker-1:2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023532.920126	worker-1:2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023532.921768	worker-1:2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023534.308087	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	worker-2	0	600.000000	connection drop worker-1	Debug-All
-1471023534.308087	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	connection drop worker-1	Debug-All
-1471023534.308087	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	3600.000000	Re-drop by catch-and-release: direct cr worker-1	Debug-All
-1471023534.308087	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	3600.000000	Re-drop by catch-and-release: direct cr worker-1	Debug-All
-#close	2016-08-12-17-38-54
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log
deleted file mode 100644
index 54202fffbe..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log
+++ /dev/null
@@ -1,18 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	netcontrol_catch_release
-#open	2016-08-12-17-38-52
-#fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message
-#types	time	string	addr	enum	interval	interval	time	time	count	string	string
-1471023532.819263	2	192.168.18.50	NetControl::DROP	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	-
-1471023532.819263	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	-
-1471023532.819263	worker-1:2	8.8.8.8	NetControl::ADDED	600.000000	3600.000000	-	1471027132.819263	1	direct cr worker-1	Address already blocked outside of catch-and-release. Catch and release will monitor and only actively block if it appears in network traffic.
-1471023532.920126	worker-1:2	8.8.8.8	NetControl::UNBLOCK	600.000000	3600.000000	-	1471027132.819263	1	direct cr worker-1	-
-1471023534.308087	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	Block seen while in rule_entities. No action taken.
-1471023534.308087	2	192.168.18.50	NetControl::UNBLOCK	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	worker-2
-1471023534.308087	4	8.8.8.8	NetControl::SEEN_AGAIN	3600.000000	86400.000000	1471027134.308087	1471109934.308087	2	direct cr worker-1	-
-1471023534.308087	4	8.8.8.8	NetControl::DROPPED	3600.000000	86400.000000	1471027134.308087	1471109934.308087	2	direct cr worker-1	-
-1471023532.239980	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	Already blocked using catch-and-release - ignoring duplicate
-#close	2016-08-12-17-38-54
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout
deleted file mode 100644
index f61fe92474..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout
+++ /dev/null
@@ -1,9 +0,0 @@
-Suspend, worker-2
-New block, 192.168.18.50, [block_until=1471027194.791177, watch_until=1471030194.791177, num_reblocked=0, current_interval=0, current_block_id=2, location=connection drop worker-1]
-New block, 8.8.8.8, [block_until=<uninitialized>, watch_until=1471030194.791177, num_reblocked=0, current_interval=0, current_block_id=worker-1:2, location=direct cr worker-1]
-Resume, worker-2
-Connection established
-Info, [block_until=1471027194.791177, watch_until=1471030194.791177, num_reblocked=0, current_interval=0, current_block_id=2, location=connection drop worker-1]
-Delete block, 192.168.18.50
-New block, 8.8.8.8, [block_until=1471030196.295249, watch_until=1471112996.295249, num_reblocked=1, current_interval=1, current_block_id=4, location=direct cr worker-1]
-remote connection closed
diff --git a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output
index 956b5a86e4..6f59b224b3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output
@@ -1,46 +1,12 @@
-success on: wu-2.4.2-academ[BETA-18-VR14](1)
-success on: Python-urllib/3.1
-success on: libwww-perl/5.820
-success on: Apache
-success on: Apple iPhone v4.3.1 Weather v1.0.0.8G4
-success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5
-success on: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
-success on: Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
-success on: Java/1.6.0_13
-success on: The Bat! (v2.00.9) Personal
-success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
-success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02)
-success on: curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18
-success on: Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00
-success on: mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731
-success on: CacheFlyServe v26b
-success on: Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
-success on: Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7
-success on: Total Commander
-success on: OpenSSH_5.2
-success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
-success on: Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54
-success on: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15
-success on: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3)
-success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C)
-success on: Wget/1.9+cvs-stable (Red Hat modified)
-success on: Wget/1.11.4 (Red Hat modified)
-success on: Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01
-success on: Java1.3.1_04
-success on: OpenSSH_4.4
-success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)
-success on: (vsFTPd 2.0.5)
-success on: wu-2.6.2(1)
-success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
-success on: The Bat! (3.0.1 RC3) Professional
-success on: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
 success on: Flash/10,2,153,1
 success on: Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4
 success on: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
+success on: %E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8/128 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)
 success on: Java1.2.2-JDeveloper
 success on: Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown
 success on: iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9
 success on: ProFTPD 1.2.5rc1 Server (Debian)
+success on: Flash%20Player/26.0.0.137 CFNetwork/811.5.4 Darwin/16.6.0 (x86_64)
 success on: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5
 success on: Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00
 success on: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
@@ -48,3 +14,42 @@ success on: Apple Mail (2.1084)
 success on: Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2
 success on: Apache/1.3.19 (Unix)
 success on: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
+success on: Wget/1.11.4 (Red Hat modified)
+success on: \xe6\xbc\xab\xe7\x94\xbb\xe4\xba\xba 2.6.2 rv:1.2 (iPhone; iOS 10.3.2; en_US)
+success on: wu-2.6.2(1)
+success on: QQ%E9%82%AE%E7%AE%B1/5.3.2.8 CFNetwork/811.5.4 Darwin/16.6.0
+success on: The Bat! (3.0.1 RC3) Professional
+success on: Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7
+success on: The Bat! (v2.00.9) Personal
+success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
+success on: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
+success on: wu-2.4.2-academ[BETA-18-VR14](1)
+success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02)
+success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)
+success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
+success on: Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063
+success on: Total Commander
+success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C)
+success on: libwww-perl/5.820
+success on: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
+success on: Java/1.6.0_13
+success on: Python-urllib/3.1
+success on: Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00
+success on: CacheFlyServe v26b
+success on: Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
+success on: OpenSSH_5.2
+success on: (vsFTPd 2.0.5)
+success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
+success on: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3)
+success on: Apache
+success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5
+success on: Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
+success on: curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18
+success on: Apple iPhone v4.3.1 Weather v1.0.0.8G4
+success on: Java1.3.1_04
+success on: OpenSSH_4.4
+success on: mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731
+success on: Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54
+success on: Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01
+success on: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15
+success on: Wget/1.9+cvs-stable (Red Hat modified)
diff --git a/testing/btest/Baseline/scripts.base.misc.version/.stdout b/testing/btest/Baseline/scripts.base.misc.version/.stdout
index 5b207674f3..359bde8473 100644
--- a/testing/btest/Baseline/scripts.base.misc.version/.stdout
+++ b/testing/btest/Baseline/scripts.base.misc.version/.stdout
@@ -5,6 +5,7 @@
 [version_number=20500, major=2, minor=5, patch=0, commit=12, beta=T, debug=F, version_string=2.5-beta-12]
 [version_number=20500, major=2, minor=5, patch=0, commit=0, beta=F, debug=T, version_string=2.5-12-debug]
 [version_number=20502, major=2, minor=5, patch=2, commit=12, beta=T, debug=T, version_string=2.5.2-beta-12-debug]
+[version_number=20502, major=2, minor=5, patch=2, commit=12, beta=T, debug=T, version_string=2.5.2-beta5-12-debug]
 [version_number=11220, major=1, minor=12, patch=20, commit=2562, beta=T, debug=T, version_string=1.12.20-beta-2562-debug]
 [version_number=0, major=0, minor=0, patch=0, commit=0, beta=F, debug=F, version_string=1]
 [version_number=0, major=0, minor=0, patch=0, commit=0, beta=F, debug=F, version_string=12.5]
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log
new file mode 100644
index 0000000000..8b2f960d80
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2017-07-28-05-03-01
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1501217955.063524	CHhAvVGS1DHFjwGM9	192.168.0.9	57322	192.150.187.12	80	1	GET	icir.org	/%	-	1.1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0	0	300	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Fp16kg2g0K5oCDByh2	-	text/html
+1501217957.423701	ClEkJM2Vm5giqnMf4h	192.168.0.9	57323	192.150.187.12	80	1	GET	icir.org	/%5	-	1.1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0	0	300	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FAjakt4YvddFQlySjk	-	text/html
+#close	2017-07-28-05-03-01
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
new file mode 100644
index 0000000000..df24831d15
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-07-28-05-03-01
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1501217955.063524	CHhAvVGS1DHFjwGM9	192.168.0.9	57322	192.150.187.12	80	illegal_%_at_end_of_URI	-	F	bro
+1501217957.423701	ClEkJM2Vm5giqnMf4h	192.168.0.9	57323	192.150.187.12	80	partial_escape_at_end_of_URI	-	F	bro
+#close	2017-07-28-05-03-01
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
index 0bec7ee13c..c42038b5d0 100644
--- a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
@@ -1,3 +1,3 @@
 KRB_AP_REQUEST
-[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18]
+[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext={\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^:<d\xba"\x02I\xf0\xce\xc7\xad\xb2]
 [use_session_key=F, mutual_required=F]
diff --git a/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout
new file mode 100644
index 0000000000..58d51a773a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout
@@ -0,0 +1,24 @@
+nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=425, state=3, num_pkts=5, num_bytes_ip=624, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=520, state=3, num_pkts=3, num_bytes_ip=516, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.972795, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.564809, req_dur=0.0, req_len=124, rep_start=1495059608.56485, rep_dur=0.0, rep_len=112, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_ACCESS
+nfs_proc_create, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=581, state=3, num_pkts=6, num_bytes_ip=820, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=792, state=3, num_pkts=4, num_bytes_ip=680, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.97641, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.565064, req_dur=0.0, req_len=144, rep_start=1495059608.568465, rep_dur=0.0, rep_len=260, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile], [fh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\w\x1ew\x01]\xb6\x00=, obj_attr=[ftype=NFS3::FTYPE_REG, mode=32768, nlink=1, uid=1628, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=24583799, atime=2044592128.0, mtime=51501766.0, ctime=1495059608.558778], dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.558778, ctime=1495059608.558778]]
+nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=745, state=3, num_pkts=7, num_bytes_ip=1024, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=940, state=3, num_pkts=5, num_bytes_ip=992, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.982349, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.568646, req_dur=0.0, req_len=152, rep_start=1495059608.574404, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_SETATTR
+nfs_proc_lookup, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1185, state=3, num_pkts=10, num_bytes_ip=1584, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=1388, state=3, num_pkts=8, num_bytes_ip=1588, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.989157, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1495059608.581163, req_dur=0.0, req_len=136, rep_start=1495059608.581212, rep_dur=0.0, rep_len=108, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile2], [fh=<uninitialized>, obj_attr=<uninitialized>, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.558778, ctime=1495059608.558778]]
+nfs_proc_rename, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1377, state=3, num_pkts=11, num_bytes_ip=1816, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=1652, state=3, num_pkts=9, num_bytes_ip=1748, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.991291, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.581412, req_dur=0.0, req_len=180, rep_start=1495059608.583346, rep_dur=0.0, rep_len=252, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [src_dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, src_fname=testfile, dst_dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, dst_fname=testfile2], [src_dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], src_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=22, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.574778, ctime=1495059608.574778], dst_dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], dst_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=22, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.574778, ctime=1495059608.574778]]
+nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1777, state=3, num_pkts=14, num_bytes_ip=2336, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2008, state=3, num_pkts=12, num_bytes_ip=2364, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.993098, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.585126, req_dur=0.0, req_len=124, rep_start=1495059608.585153, rep_dur=0.0, rep_len=112, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_ACCESS
+nfs_proc_remove, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1925, state=3, num_pkts=16, num_bytes_ip=2564, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2156, state=3, num_pkts=13, num_bytes_ip=2528, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=9.813823, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059609.400145, req_dur=0.0, req_len=136, rep_start=1495059609.405878, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704459, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile2], [dir_pre_attr=[size=0, atime=1495059608.574778, mtime=1495059608.574778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059609.398797, ctime=1495059609.398797]]
+nfs_proc_rmdir, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=2057, state=3, num_pkts=18, num_bytes_ip=2776, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2304, state=3, num_pkts=14, num_bytes_ip=2716, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=9.818272, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059609.407676, req_dur=0.0, req_len=120, rep_start=1495059609.410327, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704459, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x00\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\, fname=test], [dir_pre_attr=[size=4096, atime=1495059608.558778, mtime=1495059608.558778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=44, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=128, atime=0.0, mtime=1495059609.402797, ctime=1495059609.402797]]
diff --git a/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log b/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
index 944b5a3ad3..bd536ecca2 100644
--- a/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
+++ b/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	radius
-#open	2016-07-13-16-16-47
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	remote_ip	connect_info	result
-#types	time	string	addr	port	addr	port	string	string	addr	string	string
-1217631137.916736	CHhAvVGS1DHFjwGM9	10.0.0.1	1645	10.0.0.100	1812	John.McGuirk	00:14:22:e9:54:5e	-	-	success
-#close	2016-07-13-16-16-47
+#open	2017-02-20-04-53-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	framed_addr	remote_ip	connect_info	reply_msg	result	ttl
+#types	time	string	addr	port	addr	port	string	string	addr	addr	string	string	string	interval
+1217631137.872968	CHhAvVGS1DHFjwGM9	10.0.0.1	1645	10.0.0.100	1812	John.McGuirk	00:14:22:e9:54:5e	255.255.255.254	-	-	Hello, %u	success	0.043882
+#close	2017-02-20-04-53-55
diff --git a/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log b/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log
new file mode 100644
index 0000000000..8dac83de65
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log
@@ -0,0 +1,16 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	radius
+#open	2017-02-20-04-56-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	framed_addr	remote_ip	connect_info	reply_msg	result	ttl
+#types	time	string	addr	port	addr	port	string	string	addr	addr	string	string	string	interval
+1440447766.440305	CHhAvVGS1DHFjwGM9	127.0.0.1	53031	127.0.0.1	1812	steve	-	172.16.3.33	-	-	-	failed	1.005906
+1440447839.947454	ClEkJM2Vm5giqnMf4h	127.0.0.1	65443	127.0.0.1	1812	steve	-	172.16.3.33	-	-	-	success	0.000779
+1440447848.196115	C4J4Th3PJpwUYZZ6gc	127.0.0.1	57717	127.0.0.1	1812	steve	-	-	-	-	-	success	0.000275
+1440447860.613743	CtPZjS20MLrsMUOJi2	127.0.0.1	64691	127.0.0.1	1812	steve	-	-	-	-	-	success	0.000273
+1440447880.931272	CUM0KZ3MLUfNB0cl11	127.0.0.1	52178	127.0.0.1	1812	steve	-	-	-	-	-	failed	1.001459
+1440447904.122012	CmES5u32sYpV7JYN	127.0.0.1	62956	127.0.0.1	1812	steve	-	-	-	-	-	unknown	-
+1440448190.335333	CP5puj4I8PtEU4qzYg	127.0.0.1	53127	127.0.0.1	1812	steve	-	-	-	-	-	success	0.000517
+#close	2017-02-20-04-56-31
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout
new file mode 100644
index 0000000000..054c38f738
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.raw-ntlm/.stdout
@@ -0,0 +1 @@
+\xebr\x96\x86\xfc\xaa\xcf\xad\xb14\x18\xfaIG`\xde
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log
index 66e632e0cb..b18428a86e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/files.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	files
-#open	2016-08-16-23-02-30
-#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
-#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
-1323202695.515890	Fg6wjp3BAYahIGAEf7	10.0.0.11	10.0.0.12	CHhAvVGS1DHFjwGM9	SMB	0	(empty)	application/pdf	WP_SMBPlugin.pdf	0.073970	-	T	1508939	-	0	0	T	-	-	-	-	-
-#close	2016-08-16-23-02-30
+#open	2017-01-25-07-05-17
+#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
+#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
+1323202695.515890	Fg6wjp3BAYahIGAEf7	10.0.0.11	10.0.0.12	CHhAvVGS1DHFjwGM9	SMB	0	(empty)	application/pdf	WP_SMBPlugin.pdf	0.073970	-	T	1508939	-	0	0	F	-	-	-	-	-	-	-
+#close	2017-01-25-07-05-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log
index 6af991f2fd..37d33ec57c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log
@@ -3,22 +3,22 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssh
-#open	2016-10-13-19-57-11
+#open	2017-08-01-16-26-21
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
 #types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
 1324071333.792887	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	2	F	2	-	SSH-2.0-OpenSSH_5.9	SSH-2.0-OpenSSH_5.8	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	a7:26:62:3f:75:1f:33:8a:f3:32:90:8b:73:fd:2c:83
 1409516196.413240	ClEkJM2Vm5giqnMf4h	10.0.0.18	40184	128.2.6.88	41644	2	T	1	-	SSH-2.0-OpenSSH_6.6	SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	8a:8d:55:28:1e:71:04:99:94:43:22:89:e5:ff:e9:03
 1419870189.489202	C4J4Th3PJpwUYZZ6gc	192.168.2.1	57189	192.168.2.158	22	2	T	3	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	aes128-ctr	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
-1419870206.111841	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1419996264.344957	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	2	-	-	-	SSH-2.0-OpenSSH_6.2	SSH-2.0-paramiko_1.15.2	aes128-ctr	hmac-sha1	none	diffie-hellman-group14-sha1	ssh-rsa	60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5
-1420588548.729561	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_5.3	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590124.885826	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590308.781231	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590322.682536	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590636.482711	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590659.429570	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420591379.658705	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420599430.828441	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1419870206.111841	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1419996264.344957	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	2	-	0	-	SSH-2.0-OpenSSH_6.2	SSH-2.0-paramiko_1.15.2	aes128-ctr	hmac-sha1	none	diffie-hellman-group14-sha1	ssh-rsa	60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5
+1420588548.729561	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_5.3	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590124.885826	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590308.781231	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590322.682536	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590636.482711	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590659.429570	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420591379.658705	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420599430.828441	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
 1420851448.310534	Ck51lg1bScffFj34Ri	192.168.2.1	59246	192.168.2.158	22	2	T	2	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	arcfour256	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
 1420860283.057451	C9mvWx3ezztgzcexV7	192.168.1.32	41164	128.2.10.238	22	2	T	5	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee
 1420860616.428738	CNnMIj2QSd84NKf7U3	192.168.1.32	33910	128.2.13.133	22	2	T	1	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	93:d8:4c:0d:b2:c3:2e:da:b9:c0:67:db:e4:8f:95:04
@@ -28,4 +28,4 @@
 1421041177.031508	CLNN1k2QMum1aexUK7	192.168.1.32	58641	131.103.20.168	22	2	F	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
 1421041299.777962	CBA8792iHmnhPLksKa	192.168.1.32	58646	131.103.20.168	22	2	T	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
 1421041526.353524	CGLPPc35OzDQij1XX8	192.168.1.32	58649	131.103.20.168	22	2	T	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
-#close	2016-10-13-19-57-11
+#close	2017-08-01-16-26-21
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
index 7b2d255900..bbdfb4a3a6 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
@@ -8,3 +8,6 @@ Start test run
 Client hello, 10.0.0.80, 68.233.76.12, 771
 Start test run
 Client hello, 192.168.6.217, 67.207.128.99, 771
+Start test run
+Client hello, 192.168.6.240, 139.162.123.134, 771
+Client hello, 192.168.6.240, 139.162.123.134, 771
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout
new file mode 100644
index 0000000000..45bec12af2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout
@@ -0,0 +1,3 @@
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, F2E06AF9858A1D8D709B4919237AA9B51A287E64, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 3D474496FF942316, good, 0.0, , 1436577056.0, 1437181856.0
+ocsp_response_bytes, successful, 0, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 1436577056.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
new file mode 100644
index 0000000000..3c092fce95
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2017-09-11-16-24-17
+#fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
+#types	time	string	string	string	string	string	string	time	string	time	time
+1436909712.329517	Ft368Gc1ce0Juvj0d	sha1	F2E06AF9858A1D8D709B4919237AA9B51A287E64	4ADD06161BBCF668B576F581B6BB621ABA5A812F	3D474496FF942316	good	-	-	1436577056.000000	1437181856.000000
+#close	2017-09-11-16-24-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout
new file mode 100644
index 0000000000..293ea05c75
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout
@@ -0,0 +1,2 @@
+request, 0, 
+request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout
new file mode 100644
index 0000000000..0f3ad8f536
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout
@@ -0,0 +1,5 @@
+request, 0, 
+request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9, good, 0.0, , 1434665014.0, 1434794614.0
+ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
new file mode 100644
index 0000000000..a2ea3b6893
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2017-09-11-16-24-41
+#fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
+#types	time	string	string	string	string	string	string	time	string	time	time
+1434666864.070748	Fb215u2y5byABaV747	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	good	-	-	1434665014.000000	1434794614.000000
+#close	2017-09-11-16-24-41
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout
new file mode 100644
index 0000000000..7ca240f05c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout
@@ -0,0 +1,3 @@
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9, good, 0.0, , 1434665014.0, 1434794614.0
+ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
new file mode 100644
index 0000000000..306819f251
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2017-09-11-16-24-53
+#fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
+#types	time	string	string	string	string	string	string	time	string	time	time
+1434666864.070748	Fb215u2y5byABaV747	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	good	-	-	1434665014.000000	1434794614.000000
+#close	2017-09-11-16-24-53
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
new file mode 100644
index 0000000000..5e444491b2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
@@ -0,0 +1,20 @@
+request, 0, 
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 010BF45E184C4169AB61B41168DF802E
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 010BF45E184C4169AB61B41168DF802E, revoked, 1431615529.0, superseded, 1436286514.0, 1443489162.0
+ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436286514.0, sha1WithRSAEncryption
+request, 0, 
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 013D34BFD6348EBA231D6925768ACD87
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 013D34BFD6348EBA231D6925768ACD87, revoked, 1422391081.0, unspecified, 1436304214.0, 1443597239.0
+ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436304214.0, sha1WithRSAEncryption
+request, 0, 
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, 1432792428.0, (UNKNOWN), 1436238224.0, 1443473859.0
+ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436238224.0, sha1WithRSAEncryption
+request, 0, 
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A, revoked, 1421494379.0, keyCompromise, 1436321024.0, 1443459307.0
+ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436321024.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
new file mode 100644
index 0000000000..387342197a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2017-09-11-16-25-05
+#fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
+#types	time	string	string	string	string	string	string	time	string	time	time
+1438374032.607476	Ftl4F41OsGtUDrOTWc	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	010BF45E184C4169AB61B41168DF802E	revoked	1431615529.000000	superseded	1436286514.000000	1443489162.000000
+1438374032.731983	FXISxH2UuTiDn0qCa1	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	013D34BFD6348EBA231D6925768ACD87	revoked	1422391081.000000	unspecified	1436304214.000000	1443597239.000000
+1438374032.848476	F3OYfx3A0JvMX787V3	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	revoked	1432792428.000000	(UNKNOWN)	1436238224.000000	1443473859.000000
+1438374033.033189	FVty9v3KTnCvbg0Xf2	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	017447CB30072EE15B9C1B057B731C5A	revoked	1421494379.000000	keyCompromise	1436321024.000000	1443459307.000000
+#close	2017-09-11-16-25-05
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
new file mode 100644
index 0000000000..342228a1cf
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
@@ -0,0 +1,9 @@
+0, Google 'Pilot' log, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3]
+0, Google 'Aviator' log, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3]
+0, Google 'Rocketeer' log, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3]
+Verify of, Google 'Pilot' log, T
+Bad verify of, Google 'Pilot' log, F
+Verify of, Google 'Aviator' log, T
+Bad verify of, Google 'Aviator' log, F
+Verify of, Google 'Rocketeer' log, T
+Bad verify of, Google 'Rocketeer' log, F
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
index c9434d9ddd..d5ab2cf618 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
@@ -20,3 +20,69 @@ uncompressed
 ansiX962_compressed_prime
 ansiX962_compressed_char2
 ALPN, 192.168.4.149, 74.125.239.152, [spdy/3.1]
+Point formats, 192.168.6.240, 139.162.123.134, T
+uncompressed
+ansiX962_compressed_prime
+ansiX962_compressed_char2
+Curves, 192.168.6.240, 139.162.123.134
+x25519
+secp256r1
+secp521r1
+secp384r1
+signature_algorithm, 192.168.6.240, 139.162.123.134
+sha256, ecdsa
+sha384, ecdsa
+sha512, ecdsa
+unknown-8, unknown-4
+unknown-8, unknown-5
+unknown-8, unknown-6
+sha256, rsa
+sha384, rsa
+sha512, rsa
+sha1, ecdsa
+sha1, rsa
+sha1, dsa
+sha256, dsa
+sha384, dsa
+sha512, dsa
+supported_versions(, 192.168.6.240, 139.162.123.134
+TLSv13-draft19
+TLSv12
+TLSv11
+TLSv10
+psk_key_exchange_modes, 192.168.6.240, 139.162.123.134
+1
+0
+Point formats, 192.168.6.240, 139.162.123.134, T
+uncompressed
+ansiX962_compressed_prime
+ansiX962_compressed_char2
+Curves, 192.168.6.240, 139.162.123.134
+x25519
+secp256r1
+secp521r1
+secp384r1
+signature_algorithm, 192.168.6.240, 139.162.123.134
+sha256, ecdsa
+sha384, ecdsa
+sha512, ecdsa
+unknown-8, unknown-4
+unknown-8, unknown-5
+unknown-8, unknown-6
+sha256, rsa
+sha384, rsa
+sha512, rsa
+sha1, ecdsa
+sha1, rsa
+sha1, dsa
+sha256, dsa
+sha384, dsa
+sha512, dsa
+supported_versions(, 192.168.6.240, 139.162.123.134
+TLSv13-draft19
+TLSv12
+TLSv11
+TLSv10
+psk_key_exchange_modes, 192.168.6.240, 139.162.123.134
+1
+0
diff --git a/testing/btest/Baseline/scripts.base.utils.json/output b/testing/btest/Baseline/scripts.base.utils.json/output
new file mode 100644
index 0000000000..43513e43f9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.json/output
@@ -0,0 +1,39 @@
+true
+123
+-999
+3.14
+-1.23456789e+308
+9e-308
+1480788576.868945
+"-12.0 hrs"
+"hello"
+""
+65535
+1
+123
+0
+"1.2.3.4"
+"ffff:1234::1"
+"123.123.123.123"
+"192.0.0.0/8"
+"fe80::/64"
+"Red"
+{"s": "test", "c": 100}
+{"s": "test"}
+{"s": "test"}
+{"m": {"s": "test"}}
+[]
+[2, 1]
+["1.2.3.4"]
+[[true, false]]
+[{"s": "test"}]
+[]
+[2, 1]
+["1.2.3.4"]
+[{"s": "test"}]
+[{"s": "test"}]
+{}
+{"2": "10.2.2.2", "1": "10.1.1.1"}
+{"10.1.1.1": {"a": 1}, "10.2.2.2": {"b": 2}}
+{"10.1.1.1": [1, 2], "10.2.2.2": [3, 5]}
+{"1": {"s": "test"}}
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
index 6bb3e47e60..25c032e488 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
@@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-08-05-13-22-37
+#open	2017-05-02-20-45-26
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1416942644.593119	CHhAvVGS1DHFjwGM9	192.168.4.149	49422	23.92.19.75	443	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	Fi6J8q3lDJpbQWAnvi	application/pkix-cert	23.92.19.75:443/tcp
-#close	2016-08-05-13-22-37
+1416942644.593119	CHhAvVGS1DHFjwGM9	192.168.4.149	49422	23.92.19.75	443	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	Fi6J8q3lDJpbQWAnvi	application/x-x509-user-cert	23.92.19.75:443/tcp
+#close	2017-05-02-20-45-26
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-08-05-13-22-37
+#open	2017-05-02-20-45-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1170717505.735416	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FeCwNK3rzqPnZ7eBQ5	application/pkix-cert	194.127.84.106:443/tcp
+1170717505.735416	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FeCwNK3rzqPnZ7eBQ5	application/x-x509-user-cert	194.127.84.106:443/tcp
 1170717505.934612	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FeCwNK3rzqPnZ7eBQ5	-	-
-1170717508.883051	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FjkLnG4s34DVZlaBNc	application/pkix-cert	194.127.84.106:443/tcp
+1170717508.883051	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FjkLnG4s34DVZlaBNc	application/x-x509-user-cert	194.127.84.106:443/tcp
 1170717509.082241	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FjkLnG4s34DVZlaBNc	-	-
-1170717511.909717	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FQXAWgI2FB5STbrff	application/pkix-cert	194.127.84.106:443/tcp
+1170717511.909717	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FQXAWgI2FB5STbrff	application/x-x509-user-cert	194.127.84.106:443/tcp
 1170717512.108799	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FQXAWgI2FB5STbrff	-	-
-#close	2016-08-05-13-22-38
+#close	2017-05-02-20-45-27
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
index 64cbb5f748..8cd2a5e56d 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@@ -173,6 +173,7 @@
 1437831799.764576 file_new
 1437831799.764576 file_over_new_connection
 1437831799.764576 file_sniff
+1437831799.764576 file_hash
 1437831799.764576 x509_certificate
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
@@ -190,6 +191,7 @@
 1437831799.764576 file_new
 1437831799.764576 file_over_new_connection
 1437831799.764576 file_sniff
+1437831799.764576 file_hash
 1437831799.764576 x509_certificate
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index 5353fb0ac4..70ed522a0d 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -301,7 +301,7 @@
                   [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
@@ -314,11 +314,11 @@
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_sniff
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
 
 1254722770.692743 file_state_remove
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
@@ -345,7 +345,7 @@
                   [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
@@ -358,11 +358,11 @@
                   [2] is_orig: bool      = T
 
 1254722770.692804 file_sniff
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]]]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]], inferred=T]
 
 1254722770.692804 file_state_remove
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
@@ -406,7 +406,7 @@
                   [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692804 file_over_new_connection
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
@@ -414,8 +414,8 @@
                   [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=1254722770.695115, duration=0.0, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.494181 file_sniff
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
 
 1254722771.858334 mime_end_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -426,7 +426,7 @@
                   [2] is_orig: bool      = T
 
 1254722771.858334 file_state_remove
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a\x09}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a\x09}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
@@ -694,7 +694,7 @@
                   [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831787.905375 file_over_new_connection
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
@@ -707,11 +707,11 @@
                   [2] is_orig: bool      = T
 
 1437831787.905375 file_sniff
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
 
 1437831787.905375 file_state_remove
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
@@ -743,10 +743,10 @@
                   [5] cont_resp: bool    = F
 
 1437831798.533593 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.0, service={\x0a\x0a}, history=^, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.0, service={\x0a\x0a}, history=^, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831798.533765 partial_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000172, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000172, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.262632 new_connection
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.0, service={\x0a\x0a}, history=, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -839,156 +839,166 @@
                   [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_over_new_connection
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831799.764576 file_sniff
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=<uninitialized>, mime_types=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=application/x-x509-user-cert, mime_types=<uninitialized>, inferred=F]
+
+1437831799.764576 file_hash
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
 
 1437831799.764576 x509_certificate
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]
 
 1437831799.764576 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]
 
 1437831799.764576 x509_ext_subject_alternative_name
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::SubjectAlternativeName = [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]
 
 1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 1bf9696d9f337805383427e88781d001
 
 1437831799.764576 file_state_remove
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_new
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_over_new_connection
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831799.764576 file_sniff
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=<uninitialized>, mime_types=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=application/x-x509-ca-cert, mime_types=<uninitialized>, inferred=F]
+
+1437831799.764576 file_hash
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
 
 1437831799.764576 x509_certificate
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]
 
 1437831799.764576 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]
 
 1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 48f0e38385112eeca5fc9ffd402eaecd
 
 1437831799.764576 file_state_remove
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 11
                   [3] length: count      = 2507
 
 1437831799.764576 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 14
                   [3] length: count      = 0
 
 1437831799.838196 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg_type: count    = 16
                   [3] length: count      = 258
 
 1437831799.838197 ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
 
 1437831800.045701 ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
 
 1437831800.045701 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 net_done
                   [0] t: time            = 1437831800.217854
@@ -1013,16 +1023,16 @@
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.914113, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 bro_done
 1437831800.217854 ChecksumOffloading::check
diff --git a/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log b/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log
new file mode 100644
index 0000000000..5645378a7e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	kerberos
+#open	2017-02-22-05-02-14
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	request_type	client	service	success	error_msg	from	till	cipher	forwardable	renewable	client_cert_subject	client_cert_fuid	server_cert_subject	server_cert_fuid	auth_ticket	new_ticket
+#types	time	string	addr	port	addr	port	string	string	string	bool	string	time	time	string	bool	bool	string	string	string	string	string	string
+1429583645.478441	CHhAvVGS1DHFjwGM9	192.168.1.31	64889	192.168.1.32	88	TGS	vladg/VLADG.NET	krbtgt/VLADG.NET	T	-	-	0.000000	aes256-cts-hmac-sha1-96	T	F	-	-	-	-	a09fbd89918320cc12a26d4f0c4e6aa2	396a9d9e8975cc5024a83c6e86101f06
+#close	2017-02-22-05-02-14
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout
new file mode 100644
index 0000000000..ec22e1c01b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout
@@ -0,0 +1,17 @@
+[[version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1406997753366, sig_alg=3, hash_alg=4, signature=0D\x02 \x1cK\x82]\x95ng[\xdb\x04\x95K\xf6\xce\xf42>\x86zz2\xab\x18`t\xde\x08\xda\x05\x91L/\x02 sT\x1bn\x7f\xa1\xb0}\x11\xbc\xe6\xf3\x85/\x97f\x1a\xf7\x8a\xe4\x10%\x8f\x12\xf4o9\x0f\xd2\x9e\x18\xf0, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=h\xf6\x98\xf8\x1fd\x82\xbe:\x8c\xee\xb9(\x1dL\xfcqQ]g\x93\xd4D\xd1\x0ag\xac\xbbOO\xfb\xc4, timestamp=1407002457456, sig_alg=3, hash_alg=4, signature=0E\x02 2!\x148\x06\xd8r.\x000d\x1a\xe2\xe8mNZ\xe1\xd9B\x1e\x82K\x96%\x89\xd5&\x13\xd3\x9c\xfa\x02!\x00\x8f\x12(dQOD\xd5\x8c\x18b#\xb2C\x933\x05\xf3CU\xa1\xd9\xee\xcd\xc5q5\x91\xddI\xd1\x0b, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1410299366023, sig_alg=3, hash_alg=4, signature=0E\x02 )\x89\xd6\xb0S\xd3\xd2\xe9\x91\xbc\xf1\xb5@\xbe\x1e.\xe7\\xb4t'\xed\x8f\x9b\x02\xe9\xfa\xc2L\xba\xa2\xbe\x02!\x00\xafCdRq\x15)X@\x91\xc7\x08\x16\x96\x03\xa8s\xa5e\xa0l\xb8HVZ\xb6)\x83dm*\x9d, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1406997753366, sig_alg=3, hash_alg=4, signature=0D\x02 \x1cK\x82]\x95ng[\xdb\x04\x95K\xf6\xce\xf42>\x86zz2\xab\x18`t\xde\x08\xda\x05\x91L/\x02 sT\x1bn\x7f\xa1\xb0}\x11\xbc\xe6\xf3\x85/\x97f\x1a\xf7\x8a\xe4\x10%\x8f\x12\xf4o9\x0f\xd2\x9e\x18\xf0, source=SSL::SCT_OCSP_EXT, valid=T], [version=0, logid=h\xf6\x98\xf8\x1fd\x82\xbe:\x8c\xee\xb9(\x1dL\xfcqQ]g\x93\xd4D\xd1\x0ag\xac\xbbOO\xfb\xc4, timestamp=1407002457456, sig_alg=3, hash_alg=4, signature=0E\x02 2!\x148\x06\xd8r.\x000d\x1a\xe2\xe8mNZ\xe1\xd9B\x1e\x82K\x96%\x89\xd5&\x13\xd3\x9c\xfa\x02!\x00\x8f\x12(dQOD\xd5\x8c\x18b#\xb2C\x933\x05\xf3CU\xa1\xd9\xee\xcd\xc5q5\x91\xddI\xd1\x0b, source=SSL::SCT_OCSP_EXT, valid=T]]
+Google 'Pilot' log, T
+Google 'Aviator' log, T
+Google 'Rocketeer' log, T
+Google 'Pilot' log, T
+Google 'Aviator' log, T
+[[version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1487726002208, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\x89\x82s\x17\xd9\xcbo\xcf\xc3\xba\x91{\xeb\xe8\xf1\xbe\xc8)\x97\x1e\xe8A\x99P\x00\xaa\xb4\x15\xd97\x93\xca\x02!\x00\xca\xcd\xec\x9e\x12\xeed/v\xf5\xc32\xba\x92S\xe0 }\x85k\xe7\xd4TRp\xe8\x8d~\xba\x9d\x12\x16, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xac;\x9a\xed\x7f\xa9gGW\x15\x9em}WVr\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa11;ux-, timestamp=1487726003188, sig_alg=1, hash_alg=4, signature=\x04\xed\x08\xca\x8e\x1b\x8ba$\xe5\xe8{Y\x96'+\x06\x86\x87o\x1a=i5\x91\xc3\xfd\xf6\xbe\xeao;\xc8\x1c\x01j\xc0\x14\xea\x06\xd3\xe3#w,\x07\x06\xc3\xd0\xdc\xf2L:\xb0{\xfd.\x00\xdf\xc2\xb8w(\xaak\xfe^\xa0\x05\xe1\x84\xad\x1a!\xf2@/J\xcc\xcb8\xbb\xfa`;CF\<e\x17\xdafE/zX\xeb\xd0y\x15[\xd5\xe2\xee\xaf\xf8k\xeeX\x92\xa48\x0c\xab\x15v\xa6\xa4\x00\xc5Sjo\xe9\xbcL\xde\x11\x1d\x93\x7f\x9b\xbe\xb1\x13\xfb\xf1\xcb\xfb4\x85\xf2j\xc1t\xb0\x82g;*\x05i\x99*h\xe1\xcc\x07\xd2u\xc8L\xd3\x97\xb9\x81[-\xd1\xff\x1e\xc0\xa4\x80^vv\xb8+\xc5q\xec\xc0\xe7\x90\x00\x11{\xfdY\xb4fk'{\xa4T\xf4HO\xfd\x1d\xf6\xce\xbe=\x08G\x91\xd54\x0a\x90\xe7\xd5\xeda\x8c\xeb|"\xc1r!\xd9\xfb\xbd~\xf8\xc1\x01\xb5@9|\x9e\x0ej\xd1S\x97\xa3\x0a\xf9h\x15\xd7}\x05\x8a\x1b+j\x13\xf5, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7>F\x97t\xfew\xf5y\xfcZ\x08\xb82\x8c\x1dk, timestamp=1487726024253, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\x99\x8c\xa5+u\xe1t\x08\x0a\xa9!\xed)\x9b\xb6\xccx\x8d0VN,RZ2\xd93\xdc\xa7 \xa5\xd3\x02!\x00\xc8\xde\x96\x8d\x02\xd6\xfcx\xdbM \x06\x1cq\xe5\x10\xe3 \x18B\\x1d1\x88\xb0\xeb\xf3\xf2\x9b\x99X\xb4, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=V\x14\x06\x9a/\xd7\xc2\xec\xd3\xf5\xe1\xbdD\xb2>\xc7Fv\xb9\xbc\x99\x11\\xc0\xef\x94\x98U\xd6\x89\xd0\xdd, timestamp=1487726001197, sig_alg=3, hash_alg=4, signature=0E\x02 F\xc2\xfb\x02\xfd\xa3RNy_\x16^\xb54-S\x90\xdbK\x97\x87\x00\x93\xa1\x0d'\xc0<\xbeu\xc4\xab\x02!\x00\xb4\x93\xbb\xe2\xee\x14X\xd4\xcf\xa4\xc1\xd8\xcf\xdaAoaD\xf0\xbbM7\xdb\xb0\xec\xca\x0f\x18\xcbe\x8d\xe9, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1487726002855, sig_alg=3, hash_alg=4, signature=0D\x02 I\x06\xb4\x84Zo\xf49\x85\xd2\xbb\xc8\x8bb\x9b\xac\xbd\x84\x00\xf2f\xd0\x14\x0cV\x15_\xc7\x09&\xc1\x9f\x02 M\x0c\x05\x01ab\xe5\x97\xf9\xf8'\x02\xf4\x198\x97\xd2>xa\xc2\xda\xc1saw\xd8]\xc8\x97\xd6], source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xbb\xd9\xdf\xbc\x1f\x8aq\xb5\x93\x94#\x97\xaa\x92{G8W\x95\x0a\xabR\xe8\x1a\x90\x96d6\x8e\x1e\xd1\x85, timestamp=1487726000774, sig_alg=3, hash_alg=4, signature=0E\x02!\x00\xb1\x1atJ4\x80\xbd\xc5\x97\x7f(\xae^N\xe3WE-AO\x14X\x0aB\x1e\xc4\xb36\x00TVg\x02 o1hk\xec\x9fFG\xa4\xd2&\x97>E\x87\x7f\xcf\x1c\xc8\xdb>j\xc9\xde\xf5\x1e\x97\xf8\xc3e\xcc\x11, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1487725321667, sig_alg=3, hash_alg=4, signature=0E\x02 S\xc6N8\xf0\x84\xe5\xc8\xf5C\x87\xf6\xedU\x10\x0b}u2\xd2\x08+\x04\xbbS\xf6a\xc1\xb0\x94\x04\xc3\x02!\x00\xf4\xa2g\xa5!_\xee\x13\xd5\x0f\xd1\xb2\xe8o\x99\x10m\xa9\x0f\xd7W\xd5IH\xaa\x89\xdews\xe3=\x95, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=V\x14\x06\x9a/\xd7\xc2\xec\xd3\xf5\xe1\xbdD\xb2>\xc7Fv\xb9\xbc\x99\x11\\xc0\xef\x94\x98U\xd6\x89\xd0\xdd, timestamp=1487725322003, sig_alg=3, hash_alg=4, signature=0D\x02 \x04\x9d.\x13Q\xed\xed\xf1l\x9f\xa1\x94\x9dd\xfe\x9c0V|\xb6\xa8|9L5/\xaa\x19\xc7*\xed\xcf\x02 0\x0e+\xe3\xa4S\xfe\x85\xa6X\xcc\x06\xf2\x13\xe9\x0a\x87\xa0I\xdf\x8dr\x13xb\x12\x8c\xe6\xdd\x8f\xa8\xde, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1487725322768, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\xd37.:`\x98\x08\xb8\xf8\xc0\xad\xb1z\xe2]\x00\xb8\x08"\x97\xc8P\xeb1\x97\x16\x95!\xd0T\xb5\xd6\x02!\x00\xfe\xb8\xa3\xbf\x12\xb6%\x97\x9b\x0f\x0f\x9fc\xccP\xa0\x07\x0c\xe9\xf2\xda\xe9\\x0a\x8e\xeag\x8a\x131\x96?, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=\xbb\xd9\xdf\xbc\x1f\x8aq\xb5\x93\x94#\x97\xaa\x92{G8W\x95\x0a\xabR\xe8\x1a\x90\x96d6\x8e\x1e\xd1\x85, timestamp=1487725321891, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\xe7\x14'\xc8\x03?\xfc\xf1\xc6\x86\xe4g\xb6s\x034<\xf0\x96\xf0\xe0\x1a\xb8\x953\xe0\xf8U\x1d\x1c\xbf\xe6\x02!\x00\xcag\xf24\xcc\x86\x1aYd\xfb{\x82N\xeb,\xa3\xecu\xf1i\x01\xbc\xd4b\x1a\x9e\xa8\xc4\xca\x8f\x01\x8b, source=SSL::SCT_X509_EXT, valid=T]]
+Google 'Pilot' log, T
+Venafi log, T
+Venafi Gen2 CT log, T
+DigiCert Log Server, T
+Google 'Rocketeer' log, T
+Google 'Skydiver' log, T
+Google 'Pilot' log, T
+DigiCert Log Server, T
+Google 'Rocketeer' log, T
+Google 'Skydiver' log, T
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log
new file mode 100644
index 0000000000..0696d31ffe
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log
@@ -0,0 +1,20 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-03-22-01-52-35
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status	valid_ct_logs	valid_ct_operators
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	count	count
+1484228945.191472	CHhAvVGS1DHFjwGM9	192.168.178.73	60640	97.107.139.108	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	secp256r1	ritter.vg	F	-	http/1.1	T	FDWgotac24NQJKrRi,FUHPFD4bNbAmVvzf99,FL5BECVkzTuWWefyh	(empty)	CN=ritter.vg,OU=PositiveSSL,OU=Domain Control Validated	CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-	ok	3	1
+#close	2017-03-22-01-52-35
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-03-22-01-52-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status	valid_ct_logs	valid_ct_operators
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	count	count
+1490146178.647622	CHhAvVGS1DHFjwGM9	192.168.17.58	51995	97.107.139.108	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	secp256r1	ritter.vg	F	-	h2	T	Fui6LM65IdSB9LD25,FIwxeCtbWPXg98zO1	(empty)	CN=ritter.vg,O=Tom Ritter\\, LLC,L=Urbana,ST=Illinois,C=US,serialNumber=0600438893,jurisdictionST=New Jersey,jurisdictionC=US,businessCategory=Private Organization	CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US	-	-	ok	6	3
+#close	2017-03-22-01-52-36
diff --git a/testing/btest/Baseline/signatures.dst-ip-cidr-v4/output b/testing/btest/Baseline/signatures.dst-ip-cidr-v4/output
new file mode 100644
index 0000000000..eb07f77921
--- /dev/null
+++ b/testing/btest/Baseline/signatures.dst-ip-cidr-v4/output
@@ -0,0 +1,6 @@
+match, foo
+match, foo
+match, foo
+match, foo
+match, foo
+match, foo
diff --git a/testing/btest/Baseline/signatures.udp-payload-size/output b/testing/btest/Baseline/signatures.udp-payload-size/output
new file mode 100644
index 0000000000..2ae3bbde9f
--- /dev/null
+++ b/testing/btest/Baseline/signatures.udp-payload-size/output
@@ -0,0 +1,6 @@
+match, foo2
+match, foo2
+match, foo2
+match, foo2
+match, foo2
+match, foo2
diff --git a/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap b/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap
index 79881f62e7..f9e6078f51 100755
Binary files a/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap and b/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap differ
diff --git a/testing/btest/Traces/dnp3/dnp3_udp_read.pcap b/testing/btest/Traces/dnp3/dnp3_udp_read.pcap
index 7bc9d4add2..f089d12f51 100755
Binary files a/testing/btest/Traces/dnp3/dnp3_udp_read.pcap and b/testing/btest/Traces/dnp3/dnp3_udp_read.pcap differ
diff --git a/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap b/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap
index 384b5137d6..70b0e2cde4 100755
Binary files a/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap and b/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap differ
diff --git a/testing/btest/Traces/dnp3/dnp3_udp_write.pcap b/testing/btest/Traces/dnp3/dnp3_udp_write.pcap
index a2dd31b3b7..dc9125f691 100755
Binary files a/testing/btest/Traces/dnp3/dnp3_udp_write.pcap and b/testing/btest/Traces/dnp3/dnp3_udp_write.pcap differ
diff --git a/testing/btest/Traces/dns-huge-ttl.pcap b/testing/btest/Traces/dns-huge-ttl.pcap
index 27849b904b..5e9afdaf96 100644
Binary files a/testing/btest/Traces/dns-huge-ttl.pcap and b/testing/btest/Traces/dns-huge-ttl.pcap differ
diff --git a/testing/btest/Traces/erspan.trace b/testing/btest/Traces/erspan.trace
new file mode 100644
index 0000000000..64382645ec
Binary files /dev/null and b/testing/btest/Traces/erspan.trace differ
diff --git a/testing/btest/Traces/http/percent-end-of-line.pcap b/testing/btest/Traces/http/percent-end-of-line.pcap
new file mode 100644
index 0000000000..4d3854241a
Binary files /dev/null and b/testing/btest/Traces/http/percent-end-of-line.pcap differ
diff --git a/testing/btest/Traces/nfs/nfs_base.pcap b/testing/btest/Traces/nfs/nfs_base.pcap
new file mode 100644
index 0000000000..1707107c83
Binary files /dev/null and b/testing/btest/Traces/nfs/nfs_base.pcap differ
diff --git a/testing/btest/Traces/ntp.pcap b/testing/btest/Traces/ntp.pcap
new file mode 100644
index 0000000000..cc80d04afd
Binary files /dev/null and b/testing/btest/Traces/ntp.pcap differ
diff --git a/testing/btest/Traces/radius/radius_localhost.pcapng b/testing/btest/Traces/radius/radius_localhost.pcapng
new file mode 100644
index 0000000000..0de5c46dcd
Binary files /dev/null and b/testing/btest/Traces/radius/radius_localhost.pcapng differ
diff --git a/testing/btest/Traces/smb/raw_ntlm_in_smb.pcap b/testing/btest/Traces/smb/raw_ntlm_in_smb.pcap
new file mode 100644
index 0000000000..8a40175db4
Binary files /dev/null and b/testing/btest/Traces/smb/raw_ntlm_in_smb.pcap differ
diff --git a/testing/btest/Traces/tcp/retransmit-fast009.trace b/testing/btest/Traces/tcp/retransmit-fast009.trace
index 12cc1cd474..b3dabf9654 100644
Binary files a/testing/btest/Traces/tcp/retransmit-fast009.trace and b/testing/btest/Traces/tcp/retransmit-fast009.trace differ
diff --git a/testing/btest/Traces/tls/certificate-with-sct.pcap b/testing/btest/Traces/tls/certificate-with-sct.pcap
new file mode 100644
index 0000000000..0b6c1b166e
Binary files /dev/null and b/testing/btest/Traces/tls/certificate-with-sct.pcap differ
diff --git a/testing/btest/Traces/tls/ocsp-http-get.pcap b/testing/btest/Traces/tls/ocsp-http-get.pcap
new file mode 100644
index 0000000000..e264d59f2b
Binary files /dev/null and b/testing/btest/Traces/tls/ocsp-http-get.pcap differ
diff --git a/testing/btest/Traces/tls/ocsp-request-only.pcap b/testing/btest/Traces/tls/ocsp-request-only.pcap
new file mode 100644
index 0000000000..1d4e85da07
Binary files /dev/null and b/testing/btest/Traces/tls/ocsp-request-only.pcap differ
diff --git a/testing/btest/Traces/tls/ocsp-request-response.pcap b/testing/btest/Traces/tls/ocsp-request-response.pcap
new file mode 100644
index 0000000000..77306ea190
Binary files /dev/null and b/testing/btest/Traces/tls/ocsp-request-response.pcap differ
diff --git a/testing/btest/Traces/tls/ocsp-response-only.pcap b/testing/btest/Traces/tls/ocsp-response-only.pcap
new file mode 100644
index 0000000000..63fbdde25a
Binary files /dev/null and b/testing/btest/Traces/tls/ocsp-response-only.pcap differ
diff --git a/testing/btest/Traces/tls/ocsp-revoked.pcap b/testing/btest/Traces/tls/ocsp-revoked.pcap
new file mode 100644
index 0000000000..a2cd4509ad
Binary files /dev/null and b/testing/btest/Traces/tls/ocsp-revoked.pcap differ
diff --git a/testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap b/testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap
new file mode 100644
index 0000000000..6d19d32049
Binary files /dev/null and b/testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap differ
diff --git a/testing/btest/Traces/tls/signed_certificate_timestamp.pcap b/testing/btest/Traces/tls/signed_certificate_timestamp.pcap
new file mode 100644
index 0000000000..50efed9cea
Binary files /dev/null and b/testing/btest/Traces/tls/signed_certificate_timestamp.pcap differ
diff --git a/testing/btest/Traces/tls/tls-13draft19-early-data.pcap b/testing/btest/Traces/tls/tls-13draft19-early-data.pcap
new file mode 100644
index 0000000000..042ca6aaf6
Binary files /dev/null and b/testing/btest/Traces/tls/tls-13draft19-early-data.pcap differ
diff --git a/testing/btest/Traces/trunc/trunc-hdr.pcap b/testing/btest/Traces/trunc/trunc-hdr.pcap
index 0ab12ee6c7..689128f2bb 100644
Binary files a/testing/btest/Traces/trunc/trunc-hdr.pcap and b/testing/btest/Traces/trunc/trunc-hdr.pcap differ
diff --git a/testing/btest/bifs/directory_operations.bro b/testing/btest/bifs/directory_operations.bro
new file mode 100644
index 0000000000..9db34511b2
--- /dev/null
+++ b/testing/btest/bifs/directory_operations.bro
@@ -0,0 +1,24 @@
+#
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event bro_init()
+	{
+	# Test succesful operations...
+	print mkdir("testdir");
+	print mkdir("testdir");
+	local a = open("testdir/testfile");
+	close(a);
+	print rename("testdir/testfile", "testdir/testfile2");
+	print rename("testdir", "testdir2");
+	print unlink("testdir2/testfile2");
+	print rmdir("testdir2");
+
+
+	print unlink("nonexisting");
+	print rename("a", "b");
+	print rmdir("nonexisting");
+	a = open("testfile");
+	close(a);
+	print mkdir("testfile");
+	}
diff --git a/testing/btest/broker/remote_log.test b/testing/btest/broker/remote_log.test
index 5881ad6d92..df8f8d8d8a 100644
--- a/testing/btest/broker/remote_log.test
+++ b/testing/btest/broker/remote_log.test
@@ -12,25 +12,28 @@
 
 @TEST-START-FILE common.bro
 
+
+global quit_receiver: event();
+global quit_sender: event();
+
+
 module Test;
 
 export {
-	redef enum Log::ID += { LOG };
+        redef enum Log::ID += { LOG };
 
-	type Info: record {
-		msg: string &log;
-		nolog: string &default="no";
-		num: count &log;
-	};
-
-	global log_test: event(rec: Test::Info);
+        type Info: record {
+                msg: string &log;
+                nolog: string &default="no";
+                num: count &log;
+        };
 }
 
 event bro_init() &priority=5
-	{
-	Broker::enable();
-	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
-	}
+        {
+        Broker::enable();
+        Log::create_stream(Test::LOG, [$columns=Test::Info]);
+        }
 
 @TEST-END-FILE
 
@@ -40,58 +43,67 @@ const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 event bro_init()
-	{
-	Broker::subscribe_to_logs("bro/log/");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
+        {
+        Broker::subscribe_to_logs("bro/log/");
+        Broker::subscribe_to_events("bro/event/");
+        Broker::listen(broker_port, "127.0.0.1");
+        }
 
-event Test::log_test(rec: Test::Info)
-	{
-	print "wrote log", rec;
-
-	if ( rec$num == 5 )
-		terminate();
-	}
+event quit_receiver()
+    {
+    terminate();
+    }
 
 @TEST-END-FILE
 
+
 @TEST-START-FILE send.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 event bro_init()
-	{
-	Broker::enable_remote_logs(Test::LOG);
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	}
+    {
+    Broker::enable_remote_logs(Test::LOG);
+    Broker::publish_topic("bro/event/");
+    Broker::connect("127.0.0.1", broker_port, 1secs);
+    }
 
 global n = 0;
 
 event do_write()
-	{
-	if ( n == 6 )
-		return;
-	else
-		{
-		Log::write(Test::LOG, [$msg = "ping", $num = n]);
-		++n;
-		event do_write();
-		}
-	}
+        {
+        if ( n == 6 )
+        {
+        local args = Broker::event_args(quit_receiver);
+        Broker::send_event("bro/event/", args);
+        schedule 1sec { quit_sender() };
+        }
+        else
+                {
+                Log::write(Test::LOG, [$msg = "ping", $num = n]);
+                ++n;
+                event do_write();
+                }
+        }
+
+event quit_sender()
+    {
+    terminate();
+    }
 
 event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
-	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
-	event do_write();
-	}
+        {
+        print "Broker::outgoing_connection_established", peer_address, peer_port;
+        event do_write();
+        }
 
 event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
-	{
-	terminate();
-	}
+        {
+        terminate();
+        }
 
 @TEST-END-FILE
diff --git a/testing/btest/broker/remote_log_types.test b/testing/btest/broker/remote_log_types.test
new file mode 100644
index 0000000000..48011a8c07
--- /dev/null
+++ b/testing/btest/broker/remote_log_types.test
@@ -0,0 +1,134 @@
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
+
+# @TEST-EXEC: btest-bg-run recv "bro -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff recv/test.log
+# @TEST-EXEC: btest-diff send/send.out
+# @TEST-EXEC: btest-diff send/test.log
+
+@TEST-START-FILE common.bro
+
+
+global quit_receiver: event();
+global quit_sender: event();
+
+
+module Test;
+
+export {
+        redef enum Log::ID += { LOG };
+
+	type Info: record {
+		b: bool;
+		i: int;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+		f: function(i: count) : string;
+	} &log;
+
+}
+
+event bro_init() &priority=5
+        {
+        Broker::enable();
+        Log::create_stream(Test::LOG, [$columns=Test::Info]);
+        }
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event bro_init()
+        {
+        Broker::subscribe_to_logs("bro/log/");
+        Broker::subscribe_to_events("bro/event/");
+        Broker::listen(broker_port, "127.0.0.1");
+        }
+
+event quit_receiver()
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE send.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event bro_init()
+        {
+        Broker::enable_remote_logs(Test::LOG);
+        Broker::publish_topic("bro/event/");
+        Broker::connect("127.0.0.1", broker_port, 1secs);
+        }
+
+event quit_sender()
+	{
+	terminate();
+	}
+
+function foo(i : count) : string
+	{
+	if ( i > 0 )
+		return "Foo";
+	else
+		return "Bar";
+	}
+
+event Broker::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+        {
+        print "Broker::outgoing_connection_established", peer_address, peer_port;
+
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+	
+	Log::write(Test::LOG, [
+		$b=T,
+		$i=-42,
+		$e=Test::LOG,
+		$c=21,
+		$p=123/tcp,
+		$sn=10.0.0.1/24,
+		$a=1.2.3.4,
+		$d=3.14,
+		$t=network_time(),
+		$iv=100secs,
+		$s="hurz",
+		$sc=set(1), # set(1,2,3,4),  # Output not stable for multi-element sets.
+		$ss=set("AA"), # set("AA", "BB", "CC") # Output not stable for multi-element sets.
+		$se=empty_set,
+		$vc=vector(10, 20, 30),
+		$ve=empty_vector,
+		$f=foo
+		]);
+
+	local args = Broker::event_args(quit_receiver);
+	Broker::send_event("bro/event/", args);
+	schedule 1sec { quit_sender() };
+        }
+
+@TEST-END-FILE
diff --git a/testing/btest/core/erspan.bro b/testing/btest/core/erspan.bro
new file mode 100644
index 0000000000..eb05cdcf5a
--- /dev/null
+++ b/testing/btest/core/erspan.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/erspan.trace %INPUT 
+# @TEST-EXEC: btest-diff tunnel.log
+
+@load base/frameworks/tunnels
diff --git a/testing/btest/core/history-flip.bro b/testing/btest/core/history-flip.bro
index f34767eee8..e9769d99b5 100644
--- a/testing/btest/core/history-flip.bro
+++ b/testing/btest/core/history-flip.bro
@@ -1,2 +1,4 @@
 # @TEST-EXEC: bro -C -r $TRACES/tcp/missing-syn.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
+
+@load policy/protocols/conn/mac-logging
diff --git a/testing/btest/core/leaks/broker/clone_store.bro b/testing/btest/core/leaks/broker/clone_store.bro
index c3b11a7a0d..4996d05bd2 100644
--- a/testing/btest/core/leaks/broker/clone_store.bro
+++ b/testing/btest/core/leaks/broker/clone_store.bro
@@ -1,7 +1,7 @@
 # @TEST-SERIALIZE: brokercomm
 # @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leak
+# @TEST-GROUP: leaks
 
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
 # @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
diff --git a/testing/btest/core/leaks/broker/remote_event.test b/testing/btest/core/leaks/broker/remote_event.test
index 3f63fcba76..a7f174f7fd 100644
--- a/testing/btest/core/leaks/broker/remote_event.test
+++ b/testing/btest/core/leaks/broker/remote_event.test
@@ -1,7 +1,7 @@
 # @TEST-SERIALIZE: brokercomm
 # @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leak
+# @TEST-GROUP: leaks
 
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro broker_port=$BROKER_PORT >send.out"
diff --git a/testing/btest/core/leaks/broker/remote_log.test b/testing/btest/core/leaks/broker/remote_log.test
index baeab906f1..0093e9db2e 100644
--- a/testing/btest/core/leaks/broker/remote_log.test
+++ b/testing/btest/core/leaks/broker/remote_log.test
@@ -1,7 +1,7 @@
 # @TEST-SERIALIZE: brokercomm
 # @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leak
+# @TEST-GROUP: leaks
 
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out"
diff --git a/testing/btest/core/leaks/broker/remote_print.test b/testing/btest/core/leaks/broker/remote_print.test
index 26e6317034..9ecc913f34 100644
--- a/testing/btest/core/leaks/broker/remote_print.test
+++ b/testing/btest/core/leaks/broker/remote_print.test
@@ -1,7 +1,7 @@
 # @TEST-SERIALIZE: brokercomm
 # @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leak
+# @TEST-GROUP: leaks
 
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro broker_port=$BROKER_PORT >send.out"
diff --git a/testing/btest/core/pcap/dumper.bro b/testing/btest/core/pcap/dumper.bro
index c8d03bc783..facb86a830 100644
--- a/testing/btest/core/pcap/dumper.bro
+++ b/testing/btest/core/pcap/dumper.bro
@@ -1,5 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/workshop_2011_browse.trace -w dump
 # @TEST-EXEC: hexdump -C $TRACES/workshop_2011_browse.trace >1
 # @TEST-EXEC: hexdump -C dump >2
-# @TEST-EXEC: sdiff -s 1 2 | awk '{ gsub(/\t/, " "); print }' >output || true
+# @TEST-EXEC: diff 1 2 >output || true
 # @TEST-EXEC: btest-diff output
diff --git a/testing/btest/doc/broxygen/identifier.bro b/testing/btest/doc/broxygen/identifier.bro
index 3768b0c0c6..db5c2528ee 100644
--- a/testing/btest/doc/broxygen/identifier.bro
+++ b/testing/btest/doc/broxygen/identifier.bro
@@ -1,3 +1,4 @@
+# @TEST-SERIALIZE: comm
 # @TEST-EXEC: bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
diff --git a/testing/btest/doc/broxygen/package.bro b/testing/btest/doc/broxygen/package.bro
index 6857d5e646..fd75a1ce21 100644
--- a/testing/btest/doc/broxygen/package.bro
+++ b/testing/btest/doc/broxygen/package.bro
@@ -1,3 +1,4 @@
+# @TEST-SERIALIZE: comm
 # @TEST-EXEC: bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
diff --git a/testing/btest/doc/broxygen/package_index.bro b/testing/btest/doc/broxygen/package_index.bro
index e29479d49f..ef6cc4ab29 100644
--- a/testing/btest/doc/broxygen/package_index.bro
+++ b/testing/btest/doc/broxygen/package_index.bro
@@ -1,3 +1,4 @@
+# @TEST-SERIALIZE: comm
 # @TEST-EXEC: bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
diff --git a/testing/btest/doc/broxygen/script_index.bro b/testing/btest/doc/broxygen/script_index.bro
index 91bb4b756f..86e1909863 100644
--- a/testing/btest/doc/broxygen/script_index.bro
+++ b/testing/btest/doc/broxygen/script_index.bro
@@ -1,3 +1,4 @@
+# @TEST-SERIALIZE: comm
 # @TEST-EXEC: bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
diff --git a/testing/btest/doc/broxygen/script_summary.bro b/testing/btest/doc/broxygen/script_summary.bro
index 9d3cda012b..a7aafc65a0 100644
--- a/testing/btest/doc/broxygen/script_summary.bro
+++ b/testing/btest/doc/broxygen/script_summary.bro
@@ -1,3 +1,4 @@
+# @TEST-SERIALIZE: comm
 # @TEST-EXEC: bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
diff --git a/testing/btest/istate/broccoli-ipv6-socket.bro b/testing/btest/istate/broccoli-ipv6-socket.bro
index be6266fdec..27df984471 100644
--- a/testing/btest/istate/broccoli-ipv6-socket.bro
+++ b/testing/btest/istate/broccoli-ipv6-socket.bro
@@ -4,8 +4,7 @@
 # @TEST-REQUIRES: ifconfig | grep -q -E "inet6 ::1|inet6 addr: ::1"
 #
 # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ipv6=T"
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -6 ::1
+# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -R -6 ::1
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli-ipv6.bro b/testing/btest/istate/broccoli-ipv6.bro
index b4fdfb5fcf..0e360df713 100644
--- a/testing/btest/istate/broccoli-ipv6.bro
+++ b/testing/btest/istate/broccoli-ipv6.bro
@@ -3,8 +3,7 @@
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
 #
 # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs
+# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -R
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli-ssl.bro b/testing/btest/istate/broccoli-ssl.bro
index dcbea93150..fce5ed8535 100644
--- a/testing/btest/istate/broccoli-ssl.bro
+++ b/testing/btest/istate/broccoli-ssl.bro
@@ -4,8 +4,7 @@
 #
 # @TEST-EXEC: chmod 600 broccoli.conf
 # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ssl=T" "ssl_ca_certificate=../ca_cert.pem" "ssl_private_key=../bro.pem"
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs
+# @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs -R
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli-vector.bro b/testing/btest/istate/broccoli-vector.bro
index ce107f45d3..cf0b0c8642 100644
--- a/testing/btest/istate/broccoli-vector.bro
+++ b/testing/btest/istate/broccoli-vector.bro
@@ -3,8 +3,7 @@
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
 #
 # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-vectors.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-vectors
+# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-vectors -R
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli.bro b/testing/btest/istate/broccoli.bro
index 2fdd4cbda4..a6427412bf 100644
--- a/testing/btest/istate/broccoli.bro
+++ b/testing/btest/istate/broccoli.bro
@@ -3,8 +3,7 @@
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
 #
 # @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/test/broping-record.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broping -r -c 3 127.0.0.1
+# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broping -R -r -c 3 127.0.0.1
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: cat bro/ping.log | sed 's/one-way.*//g' >bro.log
 # @TEST-EXEC: cat broccoli/.stdout | sed 's/time=.*//g' >broccoli.log
diff --git a/testing/btest/istate/pybroccoli.py b/testing/btest/istate/pybroccoli.py
index 9f26efca31..0d7106d592 100644
--- a/testing/btest/istate/pybroccoli.py
+++ b/testing/btest/istate/pybroccoli.py
@@ -4,12 +4,13 @@
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/bindings/broccoli-python/_broccoli_intern.so
 #
 # @TEST-EXEC: btest-bg-run bro    bro %INPUT $DIST/aux/broccoli/bindings/broccoli-python/tests/test.bro
+# @TEST-EXEC: sleep 2
 # @TEST-EXEC: btest-bg-run python PYTHONPATH=$DIST/aux/broccoli/bindings/broccoli-python/:$BUILD/aux/broccoli/bindings/broccoli-python python $DIST/aux/broccoli/bindings/broccoli-python/tests/test.py
 # @TEST-EXEC: btest-bg-wait -k 20
 # @TEST-EXEC: btest-diff bro/.stdout
 #
-# @TEST-EXEC: sed 's/instance at [^>]*>/instance at >/' <python/.stdout >python/.stdout.filtered
-# @TEST-EXEC: btest-diff python/.stdout.filtered
+# @TEST-EXEC: sed -e 's/instance at [^>]*>/instance at >/' -e 's/object at [^>]*>/instance at >/' <python/.stdout >python/.stdout.filtered
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -e 's/^\([-]*[0-9][0-9]*\)L/\1/' | $SCRIPTS/diff-remove-timestamps" btest-diff python/.stdout.filtered
 
 event remote_connection_closed(p: event_peer)
 	{
diff --git a/testing/btest/language/expire-expr-error.bro b/testing/btest/language/expire-expr-error.bro
index c355bd58ed..7c9a3aa318 100644
--- a/testing/btest/language/expire-expr-error.bro
+++ b/testing/btest/language/expire-expr-error.bro
@@ -1,13 +1,12 @@
-# @TEST-EXEC: btest-bg-run broproc bro %INPUT
-# @TEST-EXEC: btest-bg-wait -k 5
-# @TEST-EXEC: cat broproc/.stderr > output
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: cp .stderr output
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
 
+redef exit_only_after_terminate = T;
+
 global x: table[string] of interval;
 global data: table[int] of string &create_expire=x["kaputt"];
 
-@load frameworks/communication/listen
-
 global runs = 0;
 event do_it()
 	{
@@ -16,6 +15,8 @@ event do_it()
 	++runs;
 	if ( runs < 4 )
 		schedule 1sec { do_it() };
+	else
+		terminate();
 	}
 
 
@@ -24,6 +25,3 @@ event bro_init() &priority=-10
 	data[0] = "some data";
 	schedule 1sec { do_it() };
 	}
-
-
-
diff --git a/testing/btest/language/expire-redef.bro b/testing/btest/language/expire-redef.bro
index f08ac8d3f2..5cbb00f313 100644
--- a/testing/btest/language/expire-redef.bro
+++ b/testing/btest/language/expire-redef.bro
@@ -3,24 +3,22 @@
 
 redef exit_only_after_terminate = T;
 
-@load frameworks/communication/listen
-
 const exp_val = -1sec &redef;
 
 global expired: function(tbl: table[int] of string, idx: int): interval;
 global data: table[int] of string &write_expire=exp_val &expire_func=expired;
 
 redef table_expire_interval = 1sec;
-redef exp_val = 5sec;
+redef exp_val = 6sec;
 
 global runs = 0;
 event do_it()
 	{
+	++runs;
 	print fmt("Run %s", runs);
 
-	++runs;
-	if ( runs < 4 )
-		schedule 2sec { do_it() };
+	if ( runs < 2 )
+		schedule 4sec { do_it() };
 	else
 		terminate();
 	}
@@ -35,5 +33,5 @@ function expired(tbl: table[int] of string, idx: int): interval
 event bro_init() &priority=-10
 	{
 	data[0] = "some data";
-	schedule 2sec { do_it() };
+	schedule 4sec { do_it() };
 	}
diff --git a/testing/btest/language/no-module.bro b/testing/btest/language/no-module.bro
index 24795df0fb..fff55d3854 100644
--- a/testing/btest/language/no-module.bro
+++ b/testing/btest/language/no-module.bro
@@ -27,6 +27,7 @@ event bro_init()
 {
 	test_case( "function", T );
 	test_case( "global variable", num == 123 );
+	test_case( "fully qualified global variable", GLOBAL::num == 123 ); # test for BIT-1758 : GLOBAL scope ID discovery bug
 	test_case( "const", daysperyear == 365 );
 	event testevent( "foo" );
 }
diff --git a/testing/btest/language/uninitialized-local2.bro b/testing/btest/language/uninitialized-local2.bro
new file mode 100644
index 0000000000..f11a5fda10
--- /dev/null
+++ b/testing/btest/language/uninitialized-local2.bro
@@ -0,0 +1,25 @@
+# @TEST-EXEC: bro -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+event test()
+	{
+	local var_a: string = "foo";
+	}
+
+event test()
+	{
+	if ( F )
+		{
+		local var_b: string = "bar";
+		}
+
+	local var_a: string = "baz";
+
+	print "var_a is", var_a;
+	print "var_b is", var_b;
+	}
+
+event bro_init()
+	{
+	event test();
+	}
diff --git a/testing/btest/plugins/api-version-mismatch.sh b/testing/btest/plugins/api-version-mismatch.sh
deleted file mode 100644
index 2483582359..0000000000
--- a/testing/btest/plugins/api-version-mismatch.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Foo
-# @TEST-EXEC: bash %INPUT
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
-# @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >tmp 2>&1
-# @TEST-EXEC: cat tmp | sed 's/Demo-Foo[-a-zA-Z0-9_.]*/XXX/' >>output
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
-
-( echo '#define BRO_PLUGIN_API_VERSION 42'; cat src/Plugin.cc; ) >src/Plugin.cc.tmp && mv src/Plugin.cc.tmp src/Plugin.cc
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
index 407ad1c242..d636e12b7c 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
@@ -3,6 +3,8 @@
 
 #include <Func.h>
 #include <Event.h>
+#include <Conn.h>
+#include <threading/Formatter.h>
 
 namespace plugin { namespace Demo_Hooks { Plugin plugin; } }
 
@@ -18,6 +20,9 @@ plugin::Configuration Plugin::Configure()
 	EnableHook(META_HOOK_PRE);
 	EnableHook(META_HOOK_POST);
 	EnableHook(HOOK_BRO_OBJ_DTOR);
+	EnableHook(HOOK_SETUP_ANALYZER_TREE);
+	EnableHook(HOOK_LOG_INIT);
+	EnableHook(HOOK_LOG_WRITE);
 
 	plugin::Configuration config;
 	config.name = "Demo::Hooks";
@@ -121,3 +126,134 @@ void Plugin::MetaHookPost(HookType hook, const HookArgumentList& args, HookArgum
 		hook_name(hook), d1.Description(),
 		d2.Description());
 	}
+
+void Plugin::HookSetupAnalyzerTree(Connection *conn)
+	{
+	ODesc d;
+	d.SetShort();
+	conn->Describe(&d);
+
+	fprintf(stderr, "%.6f %-15s %s\n", network_time, "| HookSetupAnalyzerTree", d.Description());
+	}
+
+void Plugin::HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields)
+	{
+	ODesc d;
+
+	d.Add("{");
+	for ( int i=0; i < num_fields; i++ )
+		{
+		const threading::Field* f = fields[i];
+
+		if ( i > 0 )
+			d.Add(", ");
+
+		d.Add(f->name);
+		d.Add(" (");
+		d.Add(f->TypeName());
+		d.Add(")");
+		}
+	d.Add("}");
+
+	fprintf(stderr, "%.6f %-15s %s %d/%d %s\n", network_time, "| HookLogInit", info.path, local, remote, d.Description());
+	}
+
+void Plugin::RenderVal(const threading::Value* val, ODesc &d) const
+	{
+		if ( ! val->present )
+			{
+			d.Add("<uninitialized>");
+			return;
+			}
+
+		switch ( val->type ) {
+
+			case TYPE_BOOL:
+				d.Add(val->val.int_val ? "T" : "F");
+				break;
+
+			case TYPE_INT:
+				d.Add(val->val.int_val);
+				break;
+
+			case TYPE_COUNT:
+			case TYPE_COUNTER:
+				d.Add(val->val.uint_val);
+				break;
+
+			case TYPE_PORT:
+				d.Add(val->val.port_val.port);
+				break;
+
+			case TYPE_SUBNET:
+				d.Add(threading::formatter::Formatter::Render(val->val.subnet_val));
+				break;
+
+			case TYPE_ADDR:
+				d.Add(threading::formatter::Formatter::Render(val->val.addr_val));
+				break;
+
+			case TYPE_DOUBLE:
+				d.Add(val->val.double_val, true);
+				break;
+
+			case TYPE_INTERVAL:
+			case TYPE_TIME:
+				d.Add(threading::formatter::Formatter::Render(val->val.double_val));
+				break;
+
+			case TYPE_ENUM:
+			case TYPE_STRING:
+			case TYPE_FILE:
+			case TYPE_FUNC:
+				d.AddN(val->val.string_val.data, val->val.string_val.length);
+				break;
+
+			case TYPE_TABLE:
+				for ( int j = 0; j < val->val.set_val.size; j++ )
+					{
+					if ( j > 0 )
+						d.Add(",");
+
+					RenderVal(val->val.set_val.vals[j], d);
+					}
+				break;
+
+			case TYPE_VECTOR:
+				for ( int j = 0; j < val->val.vector_val.size; j++ )
+					{
+					if ( j > 0 )
+						d.Add(",");
+
+					RenderVal(val->val.vector_val.vals[j], d);
+					}
+				break;
+
+			default:
+				assert(false);
+		}
+	}
+
+bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals)
+	{
+	ODesc d;
+
+	d.Add("[");
+	for ( int i=0; i < num_fields; i++ )
+		{
+		const threading::Field* f = fields[i];
+		const threading::Value* val = vals[i];
+
+		if ( i > 0 )
+			d.Add(", ");
+
+		d.Add(f->name);
+		d.Add("=");
+
+		RenderVal(val, d);
+		}
+	d.Add("]");
+
+	fprintf(stderr, "%.6f %-15s %s %s\n", network_time, "| HookLogWrite", info.path, d.Description());
+	return true;
+	}
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.h b/testing/btest/plugins/hooks-plugin/src/Plugin.h
index efbd25bc2d..64227c0660 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.h
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.h
@@ -10,17 +10,22 @@ namespace Demo_Hooks {
 class Plugin : public ::plugin::Plugin
 {
 protected:
-	virtual int HookLoadFile(const std::string& file, const std::string& ext);
-	virtual std::pair<bool, Val*> HookCallFunction(const Func* func, Frame* frame, val_list* args);
-	virtual bool HookQueueEvent(Event* event);
-	virtual void HookDrainEvents();
-	virtual void HookUpdateNetworkTime(double network_time);
-	virtual void HookBroObjDtor(void* obj);
-	virtual void MetaHookPre(HookType hook, const HookArgumentList& args);
-	virtual void MetaHookPost(HookType hook, const HookArgumentList& args, HookArgument result);
+	int HookLoadFile(const std::string& file, const std::string& ext) override;
+	std::pair<bool, Val*> HookCallFunction(const Func* func, Frame* frame, val_list* args) override;
+	bool HookQueueEvent(Event* event) override;
+	void HookDrainEvents() override;
+	void HookUpdateNetworkTime(double network_time) override;
+	void HookBroObjDtor(void* obj) override;
+	void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) override;
+	bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) override;
+	void HookSetupAnalyzerTree(Connection *conn) override;
+	void MetaHookPre(HookType hook, const HookArgumentList& args) override;
+	void MetaHookPost(HookType hook, const HookArgumentList& args, HookArgument result) override;
+
+	void RenderVal(const threading::Value* val, ODesc &d) const;
 
 	// Overridden from plugin::Plugin.
-	virtual plugin::Configuration Configure();
+	plugin::Configuration Configure() override;
 };
 
 extern Plugin plugin;
diff --git a/src/analyzer/protocol/pia/events.bif b/testing/btest/plugins/logging-hooks-plugin/.btest-ignore
similarity index 100%
rename from src/analyzer/protocol/pia/events.bif
rename to testing/btest/plugins/logging-hooks-plugin/.btest-ignore
diff --git a/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc
new file mode 100644
index 0000000000..32dd2b17b3
--- /dev/null
+++ b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc
@@ -0,0 +1,60 @@
+
+#include "Plugin.h"
+
+#include <Func.h>
+#include <Event.h>
+#include <Conn.h>
+#include <threading/Formatter.h>
+
+namespace plugin { namespace Log_Hooks { Plugin plugin; } }
+
+using namespace plugin::Log_Hooks;
+
+plugin::Configuration Plugin::Configure()
+	{
+	round = 0;
+	EnableHook(HOOK_LOG_INIT);
+	EnableHook(HOOK_LOG_WRITE);
+
+	plugin::Configuration config;
+	config.name = "Log::Hooks";
+	config.description = "Exercises Log hooks";
+	config.version.major = 1;
+	config.version.minor = 0;
+	return config;
+	}
+
+void Plugin::HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields)
+	{
+	ODesc d;
+
+	d.Add("{");
+	for ( int i=0; i < num_fields; i++ )
+		{
+		const threading::Field* f = fields[i];
+
+		if ( i > 0 )
+			d.Add(", ");
+
+		d.Add(f->name);
+		d.Add(" (");
+		d.Add(f->TypeName());
+		d.Add(")");
+		}
+	d.Add("}");
+
+	fprintf(stderr, "%.6f %-15s %s %d/%d %s\n", network_time, "| HookLogInit", info.path, local, remote, d.Description());
+	}
+
+bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals)
+	{
+	round++;
+	if ( round == 1 ) // do not output line
+		return false;
+	else if ( round == 2 )
+		vals[0]->val.int_val = 0;
+	else if ( round == 3 )
+		vals[1]->present = false;
+
+	return true;
+	}
diff --git a/testing/btest/plugins/logging-hooks-plugin/src/Plugin.h b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.h
new file mode 100644
index 0000000000..12b821c22c
--- /dev/null
+++ b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.h
@@ -0,0 +1,28 @@
+
+#ifndef BRO_PLUGIN_Log_Hooks
+#define BRO_PLUGIN_Log_Hooks
+
+#include <plugin/Plugin.h>
+
+namespace plugin {
+namespace Log_Hooks {
+
+class Plugin : public ::plugin::Plugin
+{
+protected:
+	void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) override;
+	bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) override;
+
+	// Overridden from plugin::Plugin.
+	plugin::Configuration Configure() override;
+
+private:
+	int round;
+};
+
+extern Plugin plugin;
+
+}
+}
+
+#endif
diff --git a/testing/btest/plugins/logging-hooks.bro b/testing/btest/plugins/logging-hooks.bro
new file mode 100644
index 0000000000..f2ca926c06
--- /dev/null
+++ b/testing/btest/plugins/logging-hooks.bro
@@ -0,0 +1,72 @@
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Log Hooks
+# @TEST-EXEC: cp -r %DIR/logging-hooks-plugin/* .
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: BRO_PLUGIN_ACTIVATE="Log::Hooks" BRO_PLUGIN_PATH=`pwd` bro -b %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq  >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff ssh.log
+
+redef LogAscii::empty_field = "EMPTY";
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		b: bool;
+		i: int &optional;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+		f: function(i: count) : string;
+	} &log;
+}
+
+function foo(i : count) : string
+	{
+	if ( i > 0 )
+		return "Foo";
+	else
+		return "Bar";
+	}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+
+	local i = 0;
+	while ( ++i < 4 )
+		Log::write(SSH::LOG, [
+			$b=T,
+			$i=-i,
+			$e=SSH::LOG,
+			$c=21,
+			$p=123/tcp,
+			$sn=10.0.0.1/24,
+			$a=1.2.3.4,
+			$d=3.14,
+			$t=network_time(),
+			$iv=100secs,
+			$s="hurz",
+			$sc=set(1,2,3,4),
+			$ss=set("AA", "BB", "CC"),
+			$se=empty_set,
+			$vc=vector(10, 20, 30),
+			$ve=empty_vector,
+			$f=foo
+			]);
+}
diff --git a/testing/btest/plugins/pktsrc-plugin/src/Foo.cc b/testing/btest/plugins/pktsrc-plugin/src/Foo.cc
index af752a20bf..b2b768b4ba 100644
--- a/testing/btest/plugins/pktsrc-plugin/src/Foo.cc
+++ b/testing/btest/plugins/pktsrc-plugin/src/Foo.cc
@@ -44,7 +44,7 @@ bool Foo::ExtractNextPacket(Packet* pkt)
 		return false;
 		}
 
-	struct timeval ts = { 1409193037, 0 };
+	pkt_timeval ts = { 1409193037, 0 };
 	pkt->Init(props.link_type, &ts, packet.size(), packet.size(), 
 		(const u_char *)packet.c_str());
 	return true;
diff --git a/testing/btest/scripts/base/files/extract/limit.bro b/testing/btest/scripts/base/files/extract/limit.bro
index 1ac5f20b6d..4deecd292d 100644
--- a/testing/btest/scripts/base/files/extract/limit.bro
+++ b/testing/btest/scripts/base/files/extract/limit.bro
@@ -4,6 +4,7 @@
 # @TEST-EXEC: bro -b -r $TRACES/ftp/retr.trace %INPUT max_extract=3000 efname=2 double_it=T
 # @TEST-EXEC: btest-diff extract_files/2
 # @TEST-EXEC: btest-diff 2.out
+# @TEST-EXEC: btest-diff files.log
 # @TEST-EXEC: bro -b -r $TRACES/ftp/retr.trace %INPUT max_extract=7000 efname=3 unlimit_it=T
 # @TEST-EXEC: btest-diff extract_files/3
 # @TEST-EXEC: btest-diff 3.out
diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
new file mode 100644
index 0000000000..8bb920ee71
--- /dev/null
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
@@ -0,0 +1,62 @@
+# @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load protocols/ssl/validate-certs
+
+redef SSL::ssl_store_valid_chain = T;
+
+export {
+	type LogInfo: record {
+		version: count;
+		logid: string;
+		timestamp: count;
+		sig_alg: count;
+		hash_alg: count;
+		signature: string;
+	};
+}
+
+redef record SSL::Info += {
+	ct_proofs: vector of LogInfo &default=vector();
+};
+
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)
+	{
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm;
+
+	if ( |f$conns| != 1 )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature);
+	}
+
+event ssl_established(c: connection)
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	if ( |c$ssl$valid_chain| < 2 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+	local issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4);
+
+	for ( i in c$ssl$ct_proofs )
+		{
+		local log = c$ssl$ct_proofs[i];
+
+		print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg, issuer_key_hash);
+		print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg, issuer_key_hash);
+		}
+	}
diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test
new file mode 100644
index 0000000000..01ed128541
--- /dev/null
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test
@@ -0,0 +1,31 @@
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)
+	{
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm;
+
+	if ( |f$conns| != 1 )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+
+	print "Verify of", SSL::ct_logs[logid]$description, sct_verify(cert, logid, SSL::ct_logs[logid]$key, signature, timestamp, hash_algorithm);
+	print "Bad verify of", SSL::ct_logs[logid]$description, sct_verify(cert, logid, SSL::ct_logs[logid]$key, signature, timestamp+1, hash_algorithm);
+	}
diff --git a/testing/btest/scripts/base/frameworks/file-analysis/byteranges.bro b/testing/btest/scripts/base/frameworks/file-analysis/byteranges.bro
new file mode 100644
index 0000000000..7cf0ef239c
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/file-analysis/byteranges.bro
@@ -0,0 +1,6 @@
+# This used to crash the file reassemly code.
+#
+# @TEST-EXEC: bro -r $TRACES/http/byteranges.trace frameworks/files/extract-all-files FileExtract::default_limit=4000
+# 
+# @TEST-EXEC: btest-diff files.log
+
diff --git a/testing/btest/scripts/base/frameworks/input/invalid-lines.bro b/testing/btest/scripts/base/frameworks/input/invalid-lines.bro
new file mode 100644
index 0000000000..83be1efd09
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/invalid-lines.bro
@@ -0,0 +1,67 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff out
+
+redef exit_only_after_terminate = T;
+redef InputAscii::fail_on_invalid_lines = F;
+
+@TEST-START-FILE input.log
+#separator \x09
+#path	ssh
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	ns
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	table	table	table	vector	vector	string
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242
+T	-43	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242 HOHOHO
+T	-41
+@TEST-END-FILE
+
+@load base/protocols/ssh
+
+global outfile: file;
+
+redef InputAscii::empty_field = "EMPTY";
+
+module A;
+
+type Idx: record {
+	i: int;
+};
+
+type Val: record {
+	b: bool;
+	e: Log::ID;
+	c: count;
+	p: port;
+	sn: subnet;
+	a: addr;
+	d: double;
+	t: time;
+	iv: interval;
+	s: string;
+	ns: string;
+	sc: set[count];
+	ss: set[string];
+	se: set[string];
+	vc: vector of int;
+	ve: vector of int;
+};
+
+global servers: table[int] of Val = table();
+global servers2: table[int] of Val = table();
+
+event bro_init()
+	{
+	outfile = open("../out");
+	# first read in the old stuff into the table...
+	Input::add_table([$source="../input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]);
+	Input::add_table([$source="../input.log", $name="ssh2", $idx=Idx, $val=Val, $destination=servers2, $config=table(["fail_on_invalid_lines"] = "T")]);
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	print outfile, servers;
+	Input::remove("ssh");
+	close(outfile);
+	terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/input/invalidtext.bro b/testing/btest/scripts/base/frameworks/input/invalidtext.bro
index 1de4e96671..3f5b590dec 100644
--- a/testing/btest/scripts/base/frameworks/input/invalidtext.bro
+++ b/testing/btest/scripts/base/frameworks/input/invalidtext.bro
@@ -13,6 +13,7 @@
 @TEST-END-FILE
 
 redef exit_only_after_terminate = T;
+redef InputAscii::fail_on_invalid_lines = T;
 
 global outfile: file;
 
diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
new file mode 100644
index 0000000000..4db255b69d
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
@@ -0,0 +1,49 @@
+# This tests files that don't exist initially and then do later during
+# runtime to make sure the ascii reader is resilient to files missing.
+# It does a second test at the same time which configures the old
+# failing behavior.
+
+# @TEST-EXEC: btest-bg-run bro bro %INPUT
+# @TEST-EXEC: sleep 2; cp does-exist.dat does-not-exist.dat
+# @TEST-EXEC: sleep 2; mv does-not-exist.dat does-not-exist-again.dat; echo "Streaming still works" >> does-not-exist-again.dat
+# @TEST-EXEC: btest-bg-wait -k 3
+# @TEST-EXEC: btest-diff bro/.stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stderr
+
+@TEST-START-FILE does-exist.dat
+#separator \x09
+#fields	line
+#types	string
+now it does
+and more!
+@TEST-END-FILE
+
+redef exit_only_after_terminate = T;
+
+@load base/frameworks/input
+
+module A;
+
+type Val: record {
+	line: string;
+};
+
+event line(description: Input::EventDescription, tpe: Input::Event, v: Val)
+	{
+	print v$line;
+	}
+
+event line2(description: Input::EventDescription, tpe: Input::Event, v: Val)
+	{
+	print "DONT PRINT THIS LINE";
+	}
+
+
+event bro_init()
+	{
+	Input::add_event([$source="../does-not-exist.dat", $name="input", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line, $want_record=T]);
+	Input::add_event([$source="../does-not-exist.dat", $name="inputstream", $reader=Input::READER_ASCII, $mode=Input::STREAM, $fields=Val, $ev=line, $want_record=T]);
+	Input::add_event([$source="../does-not-exist.dat", $name="inputmanual", $reader=Input::READER_ASCII, $mode=Input::MANUAL, $fields=Val, $ev=line, $want_record=T]);
+	Input::add_event([$source="../does-not-exist.dat", $name="input2", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line2, $want_record=T,
+	                  $config=table(["fail_on_file_problem"] = "T")]);
+	}
diff --git a/testing/btest/scripts/base/frameworks/input/missing-file.bro b/testing/btest/scripts/base/frameworks/input/missing-file.bro
index 08adfe2150..2ec3bb937f 100644
--- a/testing/btest/scripts/base/frameworks/input/missing-file.bro
+++ b/testing/btest/scripts/base/frameworks/input/missing-file.bro
@@ -3,6 +3,7 @@
 # @TEST-EXEC: btest-diff bro/.stderr
 
 redef exit_only_after_terminate = T;
+redef InputAscii::fail_on_file_problem = T;
 
 global outfile: file;
 global try: count;
diff --git a/testing/btest/scripts/base/frameworks/intel/expire-item.bro b/testing/btest/scripts/base/frameworks/intel/expire-item.bro
index df9170b669..690a461ea4 100644
--- a/testing/btest/scripts/base/frameworks/intel/expire-item.bro
+++ b/testing/btest/scripts/base/frameworks/intel/expire-item.bro
@@ -9,9 +9,10 @@
 1.2.3.4	Intel::ADDR	source1	this host is bad	http://some-data-distributor.com/1
 # @TEST-END-FILE
 
-@load frameworks/communication/listen
 @load frameworks/intel/do_expire
 
+redef exit_only_after_terminate = T;
+
 redef Intel::read_files += { "../intel.dat" };
 redef enum Intel::Where += { SOMEWHERE };
 redef Intel::item_expiration = 9sec;
@@ -20,13 +21,32 @@ redef table_expire_interval = 3sec;
 global runs = 0;
 event do_it()
 	{
+	++runs;
+	print fmt("-- Run %s --", runs);
+
 	print "Trigger: 1.2.3.4";
 	Intel::seen([$host=1.2.3.4,
 	             $where=SOMEWHERE]);
 
-	++runs;
+	if ( runs == 2 )
+		{
+		# Reinserting the indicator should reset the expiration
+		print "Reinsert: 1.2.3.4";
+		local item = [
+			$indicator="1.2.3.4",
+			$indicator_type=Intel::ADDR,
+			$meta=[
+				$source="source2",
+				$desc="this host is still bad",
+				$url="http://some-data-distributor.com/2"]
+			];
+		Intel::insert(item);
+		}
+
 	if ( runs < 6 )
 		schedule 3sec { do_it() };
+	else
+		terminate();
 	}
 
 event Intel::match(s: Intel::Seen, items: set[Intel::Item])
diff --git a/testing/btest/scripts/base/frameworks/intel/match-subnet.bro b/testing/btest/scripts/base/frameworks/intel/match-subnet.bro
index 1e25868de1..8e3fe74116 100644
--- a/testing/btest/scripts/base/frameworks/intel/match-subnet.bro
+++ b/testing/btest/scripts/base/frameworks/intel/match-subnet.bro
@@ -14,7 +14,7 @@
 192.168.128.0/18	Intel::SUBNET	source1	this subnetwork might be baaad	http://some-data-distributor.com/5
 # @TEST-END-FILE
 
-@load frameworks/communication/listen
+redef exit_only_after_terminate = T;
 
 redef Intel::read_files += { "../intel.dat" };
 redef enum Intel::Where += { SOMEWHERE };
diff --git a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro
index 379d132834..1885f5bcf8 100644
--- a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro
+++ b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro
@@ -9,7 +9,7 @@
 192.168.1.1	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/1
 # @TEST-END-FILE
 
-@load frameworks/communication/listen
+redef exit_only_after_terminate = T;
 
 redef Intel::read_files += { "../intel.dat" };
 redef enum Intel::Where += { SOMEWHERE };
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro b/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro
new file mode 100644
index 0000000000..9563f42c40
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro
@@ -0,0 +1,75 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: gunzip ssh.log.gz
+# @TEST-EXEC: btest-diff ssh.log
+# @TEST-EXEC: btest-diff ssh-uncompressed.log
+#
+# Testing all possible types.
+
+redef LogAscii::gzip_level = 9;
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		b: bool;
+		i: int;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+		f: function(i: count) : string;
+	} &log;
+}
+
+function foo(i : count) : string
+	{
+	if ( i > 0 )
+		return "Foo";
+	else
+		return "Bar";
+	}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+	local filter = Log::Filter($name="ssh-uncompressed", $path="ssh-uncompressed",
+	                           $config = table(["gzip_level"] = "0"));
+	Log::add_filter(SSH::LOG, filter);
+
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+
+	Log::write(SSH::LOG, [
+		$b=T,
+		$i=-42,
+		$e=SSH::LOG,
+		$c=21,
+		$p=123/tcp,
+		$sn=10.0.0.1/24,
+		$a=1.2.3.4,
+		$d=3.14,
+		$t=(strptime("%Y-%m-%dT%H:%M:%SZ", "2008-07-09T16:13:30Z") + 0.543210 secs),
+		$iv=100secs,
+		$s="hurz",
+		$sc=set(1,2,3,4),
+		$ss=set("AA", "BB", "CC"),
+		$se=empty_set,
+		$vc=vector(10, 20, 30),
+		$ve=empty_vector,
+		$f=foo
+		]);
+}
+
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
index 364624e90e..e13b1d340e 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
@@ -79,6 +79,11 @@ event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState,
 	print "rule removed", r$entity, r$ty;
 	}
 
+event NetControl::rule_error(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	print "rule error", r$entity, r$ty;
+	}
+
 @TEST-END-FILE
 
 @TEST-START-FILE recv.bro
@@ -115,7 +120,10 @@ event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetContro
 	{
 	print "remove_rule", id, r$entity, r$ty, ar;
 
-	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
+	if ( r$cid != 2 )
+		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
+	else
+		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_error, id, r, ar$command));
 
 	if ( r$cid == 4 )
 		terminate();
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro
deleted file mode 100644
index fd7de7e442..0000000000
--- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro
+++ /dev/null
@@ -1,132 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
-# @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-remove-timestamps' btest-diff manager-1/netcontrol.log
-# @TEST-EXEC: btest-diff manager-1/netcontrol_catch_release.log
-# @TEST-EXEC: btest-diff worker-2/.stdout
-
-@TEST-START-FILE cluster-layout.bro
-redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
-	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
-	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth0"],
-};
-@TEST-END-FILE
-
-redef exit_only_after_terminate = T;
-
-redef Log::default_rotation_interval = 0secs;
-
-@load base/frameworks/netcontrol
-redef NetControl::catch_release_warn_blocked_ip_encountered = T;
-
-global ready_for_data_1: event();
-global ready_for_data_2: event();
-redef Cluster::manager2worker_events += /^ready_for_data_(1|2)$/;
-
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-
-global peer_count = 0;
-event remote_connection_handshake_done(p: event_peer) &priority=-5
-	{
-	++peer_count;
-	print "remote_connection_handshake_done", peer_count;
-	if ( peer_count == 2 )
-		{
-		event ready_for_data_1();
-		schedule 1.5sec { ready_for_data_2() };
-		}
-	}
-
-@endif
-
-@if ( Cluster::local_node_type() == Cluster::WORKER )
-event bro_init()
-	{
-	print "Suspend", Cluster::node;
-	suspend_processing();
-	}
-
-event remote_connection_closed(p: event_peer) {
-	print "remote connection closed";
-	terminate();
-}
-@endif
-
-@if ( Cluster::node == "worker-1" )
-event ready_for_data_1()
-	{
-	print "Resume", Cluster::node;
-	continue_processing();
-	}
-@endif
-
-@if ( Cluster::node == "worker-2" )
-event ready_for_data_2()
-	{
-	print "Resume", Cluster::node;
-	continue_processing();
-	}
-@endif
-
-event NetControl::init()
-	{
-	local netcontrol_debug = NetControl::create_debug(T);
-	NetControl::activate(netcontrol_debug, 0);
-	}
-
-global i: count = 0;
-
-event connection_established(c: connection)
-	{
-	print "Connection established";
-	local id = c$id;
-	local info = NetControl::get_catch_release_info(id$orig_h);
-	print "Info", info;
-	NetControl::drop_address_catch_release(id$orig_h, cat("connection drop ", Cluster::node));
-	if ( info$current_block_id != "" )
-		{
-		NetControl::unblock_address_catch_release(id$orig_h, Cluster::node);
-		}
-	}
-
-@if ( Cluster::node == "worker-1" )
-event connection_established(c: connection)
-	{
-	NetControl::drop_address(8.8.8.8, 0.1secs, cat("direct drop ", Cluster::node));
-	NetControl::drop_address_catch_release(8.8.8.8, cat("direct cr ", Cluster::node));
-	}
-@endif
-
-@if ( Cluster::node == "worker-2" )
-event connection_established(c: connection)
-	{
-	NetControl::catch_release_seen(8.8.8.8);
-	}
-@endif
-
-event NetControl::catch_release_block_new(a: addr, b: NetControl::BlockInfo)
-	{
-	print "New block", a, b;
-	}
-
-event NetControl::catch_release_block_delete(a: addr)
-	{
-	print "Delete block", a;
-	}
-
-event terminate_me() {
-	terminate();
-}
-
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
-	{
-	print "Scheduling terminate";
-	schedule 3sec { terminate_me() };
-	}
-@endif
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
index 4aaaaf6900..29c56c2535 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
@@ -1,5 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
-# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort' btest-diff netcontrol.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log
 # @TEST-EXEC: btest-diff netcontrol_catch_release.log
 
 @load base/frameworks/netcontrol
diff --git a/testing/btest/scripts/base/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.bro
index f61e8a3a9e..9a54f3d966 100644
--- a/testing/btest/scripts/base/frameworks/software/version-parsing.bro
+++ b/testing/btest/scripts/base/frameworks/software/version-parsing.bro
@@ -40,6 +40,9 @@ global matched_software: table[string] of Software::Description = {
 		[$name="The Bat!", $version=[$major=2,$minor=0,$minor2=9,$addl="Personal"], $unparsed_version=""],
 	["Flash/10,2,153,1"] =
 		[$name="Flash", $version=[$major=10,$minor=2,$minor2=153,$minor3=1], $unparsed_version=""],
+	# The addl on the following entry isn't so great, but it'll do.
+	["Flash%20Player/26.0.0.137 CFNetwork/811.5.4 Darwin/16.6.0 (x86_64)"] =
+		[$name="Flash", $version=[$major=26,$minor=0,$minor2=0,$minor3=137,$addl="CFNetwork/811"], $unparsed_version=""],
 	["mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731"] = 
 		[$name="mt2", $version=[$major=1,$minor=2,$minor2=3,$minor3=967,$addl="Oct"], $unparsed_version=""],
 	["CacheFlyServe v26b"] =
@@ -110,6 +113,14 @@ global matched_software: table[string] of Software::Description = {
 		[$name="AdobeAIR", $version=[$major=1,$minor=0], $unparsed_version=""],
 	["Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0"] = 
 		[$name="AdobeAIR", $version=[$major=1,$minor=0], $unparsed_version=""],
+	["\\xe6\\xbc\\xab\\xe7\\x94\\xbb\\xe4\\xba\\xba 2.6.2 rv:1.2 (iPhone; iOS 10.3.2; en_US)"] =
+		[$name="\xe6\xbc\xab\xe7\x94\xbb\xe4\xba\xba", $version=[$major=2,$minor=6,$minor2=2,$addl="rv:1"], $unparsed_version=""],
+	["%E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8/128 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)"] =
+		[$name="\xe6\x9c\x89\xe9\x81\x93\xe8\xaf\x8d\xe5\x85\xb8", $version=[$major=128,$addl="CFNetwork/760"], $unparsed_version=""],
+	["QQ%E9%82%AE%E7%AE%B1/5.3.2.8 CFNetwork/811.5.4 Darwin/16.6.0"] =
+		[$name="QQ\xe9\x82\xae\xe7\xae\xb1", $version=[$major=5,$minor=3,$minor2=2,$minor3=8,$addl="CFNetwork/811"], $unparsed_version=""],
+	["Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063"] =
+		[$name="Edge", $version=[$major=15,$minor=15063], $unparsed_version=""],
 };
 
 event bro_init()
diff --git a/testing/btest/scripts/base/misc/version.bro b/testing/btest/scripts/base/misc/version.bro
index bb7879509d..238003f10d 100644
--- a/testing/btest/scripts/base/misc/version.bro
+++ b/testing/btest/scripts/base/misc/version.bro
@@ -10,6 +10,7 @@ print Version::parse("2.5.1-debug");
 print Version::parse("2.5-beta-12");
 print Version::parse("2.5-12-debug");
 print Version::parse("2.5.2-beta-12-debug");
+print Version::parse("2.5.2-beta5-12-debug");
 print Version::parse("1.12.20-beta-2562-debug");
 
 # bad versions
@@ -35,6 +36,6 @@ print "yup";
 print "yup";
 @endif
 
-@if ( Version::at_least("2.4") )
+@if ( Version::at_least("2.9") )
 print "no";
 @endif
diff --git a/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro b/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro
new file mode 100644
index 0000000000..a41dbab294
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
+
diff --git a/testing/btest/scripts/base/protocols/nfs/basic.test b/testing/btest/scripts/base/protocols/nfs/basic.test
new file mode 100755
index 0000000000..4940c095a5
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/nfs/basic.test
@@ -0,0 +1,66 @@
+# @TEST-EXEC: bro -b -r $TRACES/nfs/nfs_base.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+global nfs_ports: set[port] = { 2049/tcp, 2049/udp } &redef;
+redef ignore_checksums = T;
+
+event bro_init()
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NFS, nfs_ports);
+	}
+
+event nfs_proc_lookup(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::lookup_reply_t )
+	{
+	print "nfs_proc_lookup", c, info, req, rep;
+	}
+
+event nfs_proc_read(c: connection , info: NFS3::info_t , req: NFS3::readargs_t , rep: NFS3::read_reply_t )
+	{
+	print "nfs_proc_read", c, info, req, rep;
+	}
+
+event nfs_proc_readlink(c: connection , info: NFS3::info_t , fh: string , rep: NFS3::readlink_reply_t )
+	{
+	print "nfs_proc_readlink", c, info, fh, rep;
+	}
+
+event nfs_proc_write(c: connection , info: NFS3::info_t , req: NFS3::writeargs_t , rep: NFS3::write_reply_t )
+	{
+	print "nfs_proc_write", c, info, req, rep;
+	}
+
+event nfs_proc_create(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t )
+	{
+	print "nfs_proc_create", c, info, req, rep;
+	}
+
+event nfs_proc_mkdir(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t )
+	{
+	print "nfs_proc_mkdir", c, info, req, rep;
+	}
+
+event nfs_proc_remove(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t )
+	{
+	print "nfs_proc_remove", c, info, req, rep;
+	}
+
+event nfs_proc_rmdir(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t )
+	{
+	print "nfs_proc_rmdir", c, info, req, rep;
+	}
+
+event nfs_proc_readdir(c: connection , info: NFS3::info_t , req: NFS3::readdirargs_t , rep: NFS3::readdir_reply_t )
+	{
+	print "nfs_proc_readdir", c, info, req, rep;
+	}
+
+event nfs_proc_rename(c: connection , info: NFS3::info_t , req: NFS3::renameopargs_t , rep: NFS3::renameobj_reply_t )
+	{
+	print "nfs_proc_rename", c, info, req, rep;
+	}
+
+event nfs_proc_not_implemented(c: connection , info: NFS3::info_t , proc: NFS3::proc_t )
+	{
+	print "nfs_proc_not_implemented", c, info, proc;
+	}
+
diff --git a/testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test b/testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test
new file mode 100644
index 0000000000..473e492355
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test
@@ -0,0 +1,6 @@
+# Test a more complicated radius session with multiple attempts
+
+# @TEST-EXEC: bro -b -C -r $TRACES/radius/radius_localhost.pcapng %INPUT
+# @TEST-EXEC: btest-diff radius.log
+
+@load base/protocols/radius
diff --git a/testing/btest/scripts/base/protocols/smb/raw-ntlm.test b/testing/btest/scripts/base/protocols/smb/raw-ntlm.test
new file mode 100644
index 0000000000..8d5f91b881
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/raw-ntlm.test
@@ -0,0 +1,14 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/raw_ntlm_in_smb.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ntlm
+@load policy/protocols/smb
+
+# Just verify that the session key is grabbed correctly from NTLM
+# carried raw over SMB.
+
+event ntlm_authenticate(c: connection, request: NTLM::Authenticate)
+	{
+	if ( request?$session_key )
+		print request$session_key;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/dpd.test b/testing/btest/scripts/base/protocols/ssl/dpd.test
index dc514ff9d4..02f3905e48 100644
--- a/testing/btest/scripts/base/protocols/ssl/dpd.test
+++ b/testing/btest/scripts/base/protocols/ssl/dpd.test
@@ -2,6 +2,7 @@
 # @TEST-EXEC: bro -b -r $TRACES/tls/ssl.v3.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/tls-early-alert.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 @load base/frameworks/dpd
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
new file mode 100644
index 0000000000..ff48772b6a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
@@ -0,0 +1,43 @@
+# This tests a normal OCSP request sent through HTTP GET
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
new file mode 100644
index 0000000000..0176716553
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
@@ -0,0 +1,42 @@
+# This tests a OCSP request missing response
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
new file mode 100644
index 0000000000..3adfab9aa2
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
@@ -0,0 +1,43 @@
+# This tests a pair of normal OCSP request and response
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-response.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
new file mode 100644
index 0000000000..f99a71802c
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
@@ -0,0 +1,43 @@
+# This tests a normal OCSP response missing request
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
new file mode 100644
index 0000000000..ae39640f3f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
@@ -0,0 +1,43 @@
+# This tests OCSP response with revocation
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
new file mode 100644
index 0000000000..0b9c5fc157
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
@@ -0,0 +1,39 @@
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+export {
+	type LogInfo: record {
+		version: count;
+		logid: string;
+		timestamp: count;
+		sig_alg: count;
+		hash_alg: count;
+		signature: string;
+	};
+}
+
+redef record SSL::Info += {
+	ct_proofs: vector of LogInfo &default=vector();
+};
+
+event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)
+	{
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm;
+	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature);
+	}
+
+event ssl_established(c: connection)
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+
+	for ( i in c$ssl$ct_proofs )
+		{
+		local log = c$ssl$ct_proofs[i];
+
+		print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg);
+		print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg);
+		}
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
index 261a698833..b8f3d42242 100644
--- a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
@@ -1,4 +1,5 @@
 # @TEST-EXEC: bro -C -r $TRACES/tls/chrome-34-google.trace %INPUT
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
@@ -33,3 +34,17 @@ event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_
 		print SSL::hash_algorithms[signature_algorithms[i]$HashAlgorithm], SSL::signature_algorithms[signature_algorithms[i]$SignatureAlgorithm];
 		}
 	}
+
+event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
+	{
+	print "supported_versions(", c$id$orig_h, c$id$resp_h;
+	for ( i in versions )
+		print SSL::version_strings[versions[i]];
+	}
+
+event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec)
+	{
+	print "psk_key_exchange_modes", c$id$orig_h, c$id$resp_h;
+	for ( i in modes )
+		print modes[i];
+	}
diff --git a/testing/btest/scripts/base/utils/json.test b/testing/btest/scripts/base/utils/json.test
new file mode 100644
index 0000000000..264151136a
--- /dev/null
+++ b/testing/btest/scripts/base/utils/json.test
@@ -0,0 +1,122 @@
+# Test the to_json() function on every basic data type.  For container types,
+# test with no elements, with one element, and with more than one element.
+# Test that the "only_loggable" option works (output only record fields with
+# the &log attribute).
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+type color: enum { Red, White, Blue };
+
+type myrec1: record {
+	c: count &optional;
+	s: string &log;
+};
+
+type myrec2: record {
+	m: myrec1 &log;
+};
+
+event bro_init()
+	{
+	# #####################################
+	# Test the basic (non-container) types:
+
+	local b: bool = T;
+	print to_json(b);
+
+	local c: count = 123;
+	print to_json(c);
+
+	local i: int = -999;
+	print to_json(i);
+
+	local d1: double = 3.14;
+	local d2: double = -1.23456789e308;
+	local d3: double = 9e-308;
+	print to_json(d1);
+	print to_json(d2);
+	print to_json(d3);
+
+	local t: time = double_to_time(1480788576.868945);
+	print to_json(t);
+
+	local ti: interval = -12hr;
+	print to_json(ti);
+
+	local s1: string = "hello";
+	local s2: string = "";
+	print to_json(s1);
+	print to_json(s2);
+
+	local p1: port = 65535/tcp;
+	local p2: port = 1/udp;
+	local p3: port = 123/icmp;
+	local p4: port = 0/unknown;
+	print to_json(p1);
+	print to_json(p2);
+	print to_json(p3);
+	print to_json(p4);
+
+	local a1: addr = 1.2.3.4;
+	local a2: addr = [ffff:1234::1];
+	local a3: addr = [::ffff:123.123.123.123];
+	print to_json(a1);
+	print to_json(a2);
+	print to_json(a3);
+
+	local su1: subnet = 192.0.0.0/8;
+	local su2: subnet = [fe80::]/64;
+	print to_json(su1);
+	print to_json(su2);
+
+	local e: color = Red;
+	print to_json(e);
+
+	# #########################
+	# Test the container types:
+
+	# Records
+	local re1 = myrec1($c=100, $s="test");
+	local re2 = myrec1($s="test");
+	local re3 = myrec2($m=myrec1($c=15, $s="test"));
+	print to_json(re1);
+	print to_json(re1, T);
+	print to_json(re2);
+	print to_json(re3, T);
+
+	# Vectors
+	local ve1: vector of count = vector();
+	local ve2: vector of count = vector(2, 1);
+	local ve3: vector of addr = vector(1.2.3.4);
+	local ve4: vector of set[bool] = vector(set(T, F));
+	local ve5: vector of myrec1 = vector(myrec1($s="test", $c=2));
+	print to_json(ve1);
+	print to_json(ve2);
+	print to_json(ve3);
+	print to_json(ve4);
+	print to_json(ve5, T);
+
+	# Sets
+	local st1: set[count] = set();
+	local st2: set[count] = set(2, 1);
+	local st3: set[addr] = set(1.2.3.4);
+	local st4: set[myrec1] = set(myrec1($s="test"));
+	local st5: set[myrec1] = set(myrec1($s="test", $c=2));
+	print to_json(st1);
+	print to_json(st2);
+	print to_json(st3);
+	print to_json(st4);
+	print to_json(st5, T);
+
+	# Tables
+	local ta1: table[count] of addr = table();
+	local ta2: table[count] of addr = {[1] = 10.1.1.1, [2] = 10.2.2.2};
+	local ta3: table[addr] of table[string] of count = {[10.1.1.1] = table(["a"] = 1), [10.2.2.2] = table(["b"] = 2)};
+	local ta4: table[addr] of vector of count = {[10.1.1.1] = vector(1, 2), [10.2.2.2] = vector(3, 5)};
+	local ta5: table[count] of myrec1 = {[1] = myrec1($s="test", $c=2)};
+	print to_json(ta1);
+	print to_json(ta2);
+	print to_json(ta3);
+	print to_json(ta4);
+	print to_json(ta5, T);
+	}
diff --git a/testing/btest/scripts/policy/protocols/krb/ticket-logging.bro b/testing/btest/scripts/policy/protocols/krb/ticket-logging.bro
new file mode 100644
index 0000000000..0bc0a33d5d
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/krb/ticket-logging.bro
@@ -0,0 +1,6 @@
+# This test makes sure that krb ticket hashes are logged correctly.
+
+# @TEST-EXEC: bro -b -r $TRACES/krb/auth.trace %INPUT
+# @TEST-EXEC: btest-diff kerberos.log
+
+@load protocols/krb/ticket-logging
diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro b/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro
new file mode 100644
index 0000000000..0e6065f937
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro
@@ -0,0 +1,21 @@
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap $SCRIPTS/external-ca-list.bro %INPUT
+# @TEST-EXEC: cat ssl.log > ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp-2.pcap $SCRIPTS/external-ca-list.bro %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-all.log
+
+@load protocols/ssl/validate-sct.bro
+
+module SSL;
+
+event ssl_established(c: connection)
+	{
+	print c$ssl$ct_proofs;
+	for ( i in c$ssl$ct_proofs )
+		{
+		local proof = c$ssl$ct_proofs[i];
+		local log = SSL::ct_logs[proof$logid];
+		print log$description, proof$valid;
+		}
+	}
diff --git a/testing/btest/signatures/dst-ip-cidr-v4.bro b/testing/btest/signatures/dst-ip-cidr-v4.bro
new file mode 100644
index 0000000000..e86a746e54
--- /dev/null
+++ b/testing/btest/signatures/dst-ip-cidr-v4.bro
@@ -0,0 +1,17 @@
+# @TEST-EXEC: bro -r $TRACES/ntp.pcap %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+@TEST-START-FILE a.sig
+signature foo {
+    dst-ip == 17.0.0.0/8
+    ip-proto == udp
+    event "match"
+}
+@TEST-END-FILE
+
+event signature_match(state: signature_state, msg: string, data: string)
+	{
+	print "match", state$sig_id;
+	}
+
+@load-sigs ./a.sig
diff --git a/testing/btest/signatures/udp-payload-size.bro b/testing/btest/signatures/udp-payload-size.bro
new file mode 100644
index 0000000000..efc5411feb
--- /dev/null
+++ b/testing/btest/signatures/udp-payload-size.bro
@@ -0,0 +1,23 @@
+# @TEST-EXEC: bro -r $TRACES/ntp.pcap %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+@TEST-START-FILE a.sig
+signature foo1 {
+    ip-proto == udp
+    payload-size < 1
+    event "match"
+}
+
+signature foo2 {
+    ip-proto == udp
+    payload-size > 0
+    event "match"
+}
+@TEST-END-FILE
+
+event signature_match(state: signature_state, msg: string, data: string)
+	{
+	print "match", state$sig_id;
+	}
+
+@load-sigs ./a.sig
diff --git a/testing/scripts/coverage-calc b/testing/scripts/coverage-calc
index cc5253c75c..df12e0c86f 100755
--- a/testing/scripts/coverage-calc
+++ b/testing/scripts/coverage-calc
@@ -56,4 +56,4 @@ for k in stats:
         num_covered += 1
 
 if len(stats) > 0:
-    print "%s/%s (%.1f%%) Bro script statements covered." % (num_covered, len(stats), float(num_covered)/len(stats)*100)
+    print("%s/%s (%.1f%%) Bro script statements covered." % (num_covered, len(stats), float(num_covered)/len(stats)*100))